From f83f86554c0daff0bed00f8f191a4f8297952dfc Mon Sep 17 00:00:00 2001
From: Bastard Operator <bofh@nogafam.es>
Date: Sat, 27 Nov 2021 03:18:05 +0100
Subject: [PATCH] Logout process now revokes Mastodon auth token associated to
 session

---
 public/logout/index.php | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/public/logout/index.php b/public/logout/index.php
index 433c523..ba0bd0c 100644
--- a/public/logout/index.php
+++ b/public/logout/index.php
@@ -2,10 +2,35 @@
 <?php
 
 if ($valid_cookie) {
-	$sm = $db->prepare('DELETE FROM oauth_tokens WHERE cookie = ?');
+	$sm = $db->prepare('SELECT access_token, auth_more FROM oauth_tokens WHERE cookie = ?');
 	$sm->execute([$cookie]);
-	if ($sm->rowCount() === 1) {
-		setcookie('rf_sess', null);
+	if (($row = $sm->fetchObject()) !== false) {
+		switch ($user->account_type)
+		{
+			case 'mastodon':
+				$row->auth_more = @json_decode($row->auth_more);
+				if (isset($row->auth_more->result->client_id)) {
+					$ch = curl_init($row->auth_more->instance.'/oauth/revoke');
+					curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
+					curl_setopt($ch, CURLOPT_POSTFIELDS, [
+						'client_id'			=> $row->auth_more->result->client_id,
+						'client_secret'		=> $row->auth_more->result->client_secret,
+						'token'				=> $row->access_token
+					]);
+					curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+					curl_exec($ch);
+					curl_close($ch);
+					# we don't care about the output
+				}
+				break;
+		}
+
+		# delete token from database (YES, actually delete)
+		$sm = $db->prepare('DELETE FROM oauth_tokens WHERE cookie = ?');
+		$sm->execute([$cookie]);
+		if ($sm->rowCount() === 1) {
+			setcookie('rf_sess', null);
+		}
 	}
 }