I'm overriding Doorkeepers AuthorizationsController. As the docs suggested I inherit from the AuthorizationsController. Now the code below shows my latest attempt for the override.
What I currently have
Basically, add an extra if statement around the new Authorization Doorkeeper process. I've added line 3-7, currently that works fine. It returns me :error if line 6 is equal to true.
My question
I can still see the AccessToken via the Browser URL and the server log. So as a user, I could still use this AccessToken to retrieve some data with Postman for example. Even tho it gave me an error when signing in. Why is this? And how could I prevent this from happening?
class AuthorizationsController < Doorkeeper::AuthorizationsController
  def new
    application = Application.find(authorization.authorize.pre_auth.client.id)
    resource_owner = User.find(current_resource_owner)
    if application.users.exclude?(resource_owner) && application.owner != resource_owner
      render :error
    elsif pre_auth.authorizable?
      if skip_authorization? || matching_token?
        auth = authorization.authorize
        redirect_to auth.redirect_uri
      else
        render :new
      end
    else
      render :error
    end
  end
end
If you check the introduction to OAuth2 written by DigitalOcean, my if statement still succeeds on step 3 'User-agent Receives Access Token with Redirect URI', because I can see the AccessToken with the redirect URI in my browser URL. And after step 3 it gives me the :error.
UPDATE
The whole process of generating an AccessToken is already finished before my override on the AuthorizationsController starts. I added a simple before_action to print to the server log, but before that Doorkeeper::AccessToken Load (0.9ms)  SELECT  'oauth_access_tokens'.* FROM 'oauth_access_tokens' WHERE 'oauth_access_tokens'.'token' = 'x' LIMIT 1 happens.
You are assuming that the token you see in your browser url is an OAuth access_token. It is actually just a JWT(JSON Web Token). I'm assuming this token is some sort of session token because the user has not been authorized by Doorkeeper to use the application. You're wrongfully assuming that your OAuth flow reaches the 'User-agent Receives Access Token with Redirect URI' step. 
The token in your url is not harmful at all, so there is no reason for you to prevent your application from issuing one. If the user discontinues their session, the token becomes useless.
Hope this helps :)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With