From 9113a5a1d1c0edb38d3f10ada12dcd3881d56d9e Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Mon, 26 Feb 2024 13:26:03 +0100
Subject: [PATCH] Delete authorization codes on client revocation

---
 client.go |  2 +-
 db.go     | 24 +++++++++++++++++++++---

diff --git a/client.go b/client.go
index 692132ac77744eb23cc34a15fc22d8ed0e901a5d..63a914e76ef0393db9d2f8d4f8f7ccec55c568df 100644
--- a/client.go
+++ b/client.go
@@ -158,7 +158,7 @@ 		http.Redirect(w, req, "/login", http.StatusFound)
 		return
 	}
 
-	if err := db.RevokeAccessTokens(ctx, id, loginToken.User); err != nil {
+	if err := db.RevokeClientUser(ctx, id, loginToken.User); err != nil {
 		httpError(w, err)
 		return
 	}
diff --git a/db.go b/db.go
index cf405ab7dc70c155036c51b41847655c74b5c73d..4de5d8d803136b3812a2bfff80614d55057c7aae 100644
--- a/db.go
+++ b/db.go
@@ -284,12 +284,30 @@ 	_, err := db.db.ExecContext(ctx, "DELETE FROM AccessToken WHERE id = ?", id)
 	return err
 }
 
-func (db *DB) RevokeAccessTokens(ctx context.Context, clientID ID[*Client], userID ID[*User]) error {
-	_, err := db.db.ExecContext(ctx, `
+func (db *DB) RevokeClientUser(ctx context.Context, clientID ID[*Client], userID ID[*User]) error {
+	tx, err := db.db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+
+	_, err = tx.ExecContext(ctx, `
 		DELETE FROM AccessToken
 		WHERE client = ? AND user = ?
 	`, clientID, userID)
-	return err
+	if err != nil {
+		return err
+	}
+
+	_, err = tx.ExecContext(ctx, `
+		DELETE FROM AuthCode
+		WHERE client = ? AND user = ?
+	`, clientID, userID)
+	if err != nil {
+		return err
+	}
+
+	return tx.Commit()
 }
 
 func (db *DB) CreateAuthCode(ctx context.Context, code *AuthCode) error {

-- 
2.48.1