fix: revoke access token on duplicate auth code user (#786)

* fix: revoke access token on duplicate auth code user * fix: review comments * tests: fix tests
2026-04-16 02:36:10 +00:00 · 2026-04-14 12:45:27 +03:00
parent 578172d01e
commit 6f99e7acff
9 changed files with 113 additions and 9 deletions
--- a/sql/oidc_queries.sql
+++ b/sql/oidc_queries.sql
@@ -48,9 +48,10 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
+    "code_hash",
    "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;

@@ -75,6 +76,10 @@ WHERE "refresh_token_hash" = ?;
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = ?;

+-- name: DeleteOidcTokenByCodeHash :exec
+DELETE FROM "oidc_tokens"
+WHERE "code_hash" = ?;
+
 -- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?;
--- a/sql/oidc_schemas.sql
+++ b/sql/oidc_schemas.sql
@@ -13,6 +13,7 @@ CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
+    "code_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,