fix: revoke access token on duplicate auth code user (#786)

* fix: revoke access token on duplicate auth code user * fix: review comments * tests: fix tests
2026-04-17 03:06:11 +00:00 · 2026-04-14 12:45:27 +03:00
parent 578172d01e
commit 6f99e7acff
9 changed files with 113 additions and 9 deletions
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -275,6 +275,9 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	case "authorization_code":
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
+			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
+				tlog.App.Error().Err(err).Msg("Failed to delete access token by code hash")
+			}
 			if errors.Is(err, service.ErrCodeNotFound) {
 				tlog.App.Warn().Msg("Code not found")
 				c.JSON(400, gin.H{