Merge pull request #1778 from hannahyeates/fix-make-token-revocation-idempotent

nbulaj · web-flow · commit fab213cdfbca · 2025-08-19T15:08:58.000+03:00
fix: ensure that token revocation is idempotent
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ User-visible changes worth mentioning.
 
 Add your entry here.
 - [#1775] Fix Applications Secret Not Null Constraint generator
+- [#1778] Ensure that token revocation is idempotent by checking that that token has not already been revoked before revoking.
 
 ## 5.8.2
 
diff --git a/lib/doorkeeper/models/concerns/revocable.rb b/lib/doorkeeper/models/concerns/revocable.rb
@@ -9,6 +9,7 @@ module Revocable
       # @param clock [Time] time object
       #
       def revoke(clock = Time)
+        return if revoked?
         update_attribute(:revoked_at, clock.now.utc)
       end
 
diff --git a/spec/lib/models/revocable_spec.rb b/spec/lib/models/revocable_spec.rb
@@ -10,12 +10,26 @@
   end
 
   describe "#revoke" do
+    let(:revoked_at) { nil }
+
+    before do
+      allow(fake_object).to receive(:revoked_at).and_return(revoked_at)
+    end
+
     it "updates :revoked_at attribute with current time" do
       utc = double utc: double
       clock = double now: utc
       expect(fake_object).to receive(:update_attribute).with(:revoked_at, clock.now.utc)
       fake_object.revoke(clock)
     end
+
+    context "when the object is already revoked" do
+      let(:revoked_at) { Time.now.utc - 1000 }
+
+      it "does not update :revoked_at attribute" do
+        expect(fake_object).not_to receive(:update_attribute)
+      end
+    end
   end
 
   describe "#revoked?" do

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ module Revocable`
`9`	`9`	`# @param clock [Time] time object`
`10`	`10`	`#`
`11`	`11`	`def revoke(clock = Time)`
	`12`	`+ return if revoked?`
`12`	`13`	`update_attribute(:revoked_at, clock.now.utc)`
`13`	`14`	`end`
`14`	`15`