From 85d8d5300c8a548f99d199a918f4c86d129c81fa Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Fri, 3 Jan 2014 13:27:14 -0800 Subject: [PATCH] Confirm that we hit the right URL when revoking tokens. Require token revoke endpoints to return JSON with a `tokenRevoked` key, to avoid being fooled by endpoints that don't understand token revocation but just happened to return 200 status codes. --- tools/auth.js | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/tools/auth.js b/tools/auth.js index 8bb65091e5..e912bf0b19 100644 --- a/tools/auth.js +++ b/tools/auth.js @@ -196,15 +196,28 @@ var tryRevokeOldTokens = function (options) { } var response = result.response; - if (response.statusCode === 200) { - // Server confirms that the tokens have been revoked - // (Be careful to reread session data in case httpHelpers changed it) - data = readSessionData(); - var session = getSession(data, domain); - session.pendingRevoke = _.difference(session.pendingRevoke, tokenIds); - if (! session.pendingRevoke.length) - delete session.pendingRevoke; - writeSessionData(data); + if (response.statusCode === 200 && + response.body) { + try { + var body = JSON.parse(response.body); + if (body.tokenRevoked) { + // Server confirms that the tokens have been revoked. Checking for a + // `tokenRevoked` key in the response confirms that we hit an actual + // accounts server that understands that we were trying to revoke some + // tokens, not just a random URL that happened to return a 200 + // response. + + // (Be careful to reread session data in case httpHelpers changed it) + data = readSessionData(); + var session = getSession(data, domain); + session.pendingRevoke = _.difference(session.pendingRevoke, tokenIds); + if (! session.pendingRevoke.length) + delete session.pendingRevoke; + writeSessionData(data); + } + } catch (e) { + logoutFailWarning(domain); + } } else { logoutFailWarning(domain); }