- Issue created by @dunjincan
- 🇵🇱Poland dunjincan
Attached patch fixes the inconsistent refresh token removal in collectForAccount().
The issue was that collectForAccount() excludes refresh tokens but then calls
collectForClient() which ignores this exclusion. This caused refresh tokens to
be removed when user is consumer default user.Fix ensures consistent behavior regardless of consumer configuration.
Ready for review.
- 🇵🇱Poland dunjincan
After implementing this change, you might need to modify the function responsible for invalidating all tokens. In such a scenario, it's crucial to remember to call collectForClient($client, TRUE).
Failing to do so could introduce a security vulnerability, as refresh tokens would remain active by default. When a user logs out, for instance, we typically want all associated tokens to be invalidated immediately to ensure complete session termination.
- First commit to issue fork.
- Merge request !187Issue #3531263: Exclude refresh tokens by default in collectForClient method → (Merged) created by bojan_dev
-
bojan_dev →
committed 529ca16b on 6.0.x
Issue #3531263: Exclude refresh tokens by default in collectForClient...
-
bojan_dev →
committed 529ca16b on 6.0.x
- 🇳🇱Netherlands bojan_dev
Thank you @dunjincan for reporting and providing a patch, I have updated the associated unit tests, because there were breaking due to this change.
Automatically closed - issue fixed for 2 weeks with no activity.