Clear user's session cookie when an OAuth token is revoked

2 files changed, 41 insertions, 1 deletions

diff --git a/lib/pleroma/web/o_auth/o_auth_controller.ex b/lib/pleroma/web/o_auth/o_auth_controller.ex
index 2d315d4c4..e3cf35a2b 100644
--- a/lib/pleroma/web/o_auth/o_auth_controller.ex
+++ b/lib/pleroma/web/o_auth/o_auth_controller.ex
@@ -375,7 +375,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
   def token_revoke(%Plug.Conn{} = conn, %{"token" => _token} = params) do
     with {:ok, app} <- Token.Utils.fetch_app(conn),
          {:ok, _token} <- RevokeToken.revoke(app, params) do
-      json(conn, %{})
+      conn
+      |> Plug.Conn.delete_session(:user_id)
+      |> json(%{})
     else
       _error ->
         # RFC 7009: invalid tokens [in the request] do not cause an error response
diff --git a/test/pleroma/web/o_auth/o_auth_controller_test.exs b/test/pleroma/web/o_auth/o_auth_controller_test.exs
index d1fe894a8..251918f7b 100644
--- a/test/pleroma/web/o_auth/o_auth_controller_test.exs
+++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs
@@ -1256,6 +1256,44 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
     end
   end
 
+  describe "POST /oauth/revoke" do
+    test "deletes a token" do
+      app = insert(:oauth_app, scopes: ["read"])
+      token = insert(:oauth_token, app: app)
+
+      result =
+        build_conn()
+        |> post("/oauth/revoke", %{
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret,
+          "token" => token.token
+        })
+        |> json_response(200)
+
+      assert result == %{}
+      assert {:error, :not_found} = Pleroma.Web.OAuth.Token.get_by_token(app, token.token)
+    end
+
+    test "clears the session_id from user cookies" do
+      user = insert(:user)
+      app = insert(:oauth_app, scopes: ["read"])
+      token = insert(:oauth_token, app: app, user: user)
+
+      conn =
+        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session()
+        |> put_session(:user_id, user.id)
+        |> post("/oauth/revoke", %{
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret,
+          "token" => token.token
+        })
+
+      refute get_session(conn, :user_id)
+    end
+  end
+
   describe "POST /oauth/revoke - bad request" do
     test "returns 500" do
       response =