GODT-2131: if refresh token is revoked, user gets signed out.

2025-12-11 05:06:51 +00:00 · 2022-11-21 19:54:38 +01:00
parent 520361f7f3
commit 1abda7555d
3 changed files with 10 additions and 3 deletions
--- a/internal/bridge/user.go
+++ b/internal/bridge/user.go
@ -19,6 +19,7 @@ package bridge

 import (
 	"context"
+	"errors"
 	"fmt"
 	"runtime"

@ -358,6 +359,12 @@ func (bridge *Bridge) loadUsers(ctx context.Context) error {
 func (bridge *Bridge) loadUser(ctx context.Context, user *vault.User) error {
 	client, auth, err := bridge.api.NewClientWithRefresh(ctx, user.AuthUID(), user.AuthRef())
 	if err != nil {
+		if apiErr := new(liteapi.Error); errors.As(err, &apiErr) && (apiErr.Code == liteapi.AuthRefreshTokenInvalid) {
+			// The session cannot be refreshed, we sign out the user by clearing his auth secrets.
+			if err := user.Clear(); err != nil {
+				logrus.WithError(err).Warn("Failed to clear user secrets")
+			}
+		}
 		return fmt.Errorf("failed to create API client: %w", err)
 	}