Logout process now revokes Mastodon auth token associated to session

master
Bofh 1 year ago
parent 4590975b96
commit f83f86554c

@ -2,10 +2,35 @@
<?php
if ($valid_cookie) {
$sm = $db->prepare('DELETE FROM oauth_tokens WHERE cookie = ?');
$sm = $db->prepare('SELECT access_token, auth_more FROM oauth_tokens WHERE cookie = ?');
$sm->execute([$cookie]);
if ($sm->rowCount() === 1) {
setcookie('rf_sess', null);
if (($row = $sm->fetchObject()) !== false) {
switch ($user->account_type)
{
case 'mastodon':
$row->auth_more = @json_decode($row->auth_more);
if (isset($row->auth_more->result->client_id)) {
$ch = curl_init($row->auth_more->instance.'/oauth/revoke');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'client_id' => $row->auth_more->result->client_id,
'client_secret' => $row->auth_more->result->client_secret,
'token' => $row->access_token
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec($ch);
curl_close($ch);
# we don't care about the output
}
break;
}
# delete token from database (YES, actually delete)
$sm = $db->prepare('DELETE FROM oauth_tokens WHERE cookie = ?');
$sm->execute([$cookie]);
if ($sm->rowCount() === 1) {
setcookie('rf_sess', null);
}
}
}

Loading…
Cancel
Save