Contrib.social

collectForAccount() inconsistently removes refresh tokens when user is consumer default user

Open on Drupal.org →
Created on 20 June 2025, 14 days ago

Problem: collectForAccount() explicitly excludes refresh tokens with:
$query->condition('bundle', 'refresh_token', '!=');

However, it then calls collectForClient() which IGNORES this exclude and collects ALL tokens, including refresh tokens.

This causes inconsistent behavior:
- If user is NOT consumer default user → refresh tokens preserved ✅
- If user IS consumer default user → refresh tokens removed ❌

This breaks OAuth refresh token flow for mobile applications.

Steps to reproduce:
1. Create consumer with user_id = 123
2. Generate OAuth tokens for user 123
3. Update user entity (triggers collectForAccount())
4. Refresh tokens are removed despite explicit exclude

Expected: collectForAccount() should never remove refresh tokens
Actual: Refresh tokens removed if user is consumer default user

🐛 Bug report
Status

Needs review

Version

6.0

Component

Code

Created by

🇵🇱Poland dunjincan

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @dunjincan
  • Comment 14 days ago
    🇵🇱Poland dunjincan

    Attached patch fixes the inconsistent refresh token removal in collectForAccount().

    The issue was that collectForAccount() excludes refresh tokens but then calls
    collectForClient() which ignores this exclusion. This caused refresh tokens to
    be removed when user is consumer default user.

    Fix ensures consistent behavior regardless of consumer configuration.

    Ready for review.

  • Comment 13 days ago
    🇵🇱Poland dunjincan

    After implementing this change, you might need to modify the function responsible for invalidating all tokens. In such a scenario, it's crucial to remember to call collectForClient($client, TRUE).

    Failing to do so could introduce a security vulnerability, as refresh tokens would remain active by default. When a user logs out, for instance, we typically want all associated tokens to be invalidated immediately to ensure complete session termination.

  • Comment 13 days ago
    🇵🇱Poland dunjincan
  • First commit to issue fork.
  • Merge request !187Issue #3531263: Exclude refresh tokens by default in collectForClient method → (Merged) created by bojan_dev
  • Comment 1 day ago
    System Message
    • bojan_dev committed 529ca16b on 6.0.x 
      Issue #3531263: Exclude refresh tokens by default in collectForClient...
  • Comment 1 day ago
    🇳🇱Netherlands bojan_dev

    Thank you @dunjincan for reporting and providing a patch, I have updated the associated unit tests, because there were breaking due to this change.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024