Skip to content

fix(refresh-token): validate scope before revoking token #390 #389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
runeb wants to merge 2 commits into
base: development
Choose a base branch
from
Open

fix(refresh-token): validate scope before revoking token #390 #389

runeb wants to merge 2 commits into from

Conversation

@runeb
Copy link

@runeb runeb commented Jan 7, 2026
edited
Loading

Summary

Fixes token destruction when refresh requests include invalid scopes. Currently, revokeToken() is called before getScope() validation. If scope validation fails, the token is destroyed without replacement.

Linked issue(s)

Fixes #390

Involved parts of the project

lib/grant-types/refresh-token-grant-type.js - Reordered scope validation to occur before token revocation in the refresh token grant handler.

Added tests?

Yes. Added test in test/integration/grant-types/refresh-token-grant-type_test.js that verifies InvalidScopeError is thrown when extra scope is requested, and that revokeToken()/saveToken() are not called before validation.

OAuth2 standard

RFC 6749 Section 6 states: "The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client."

Current implementation revokes before validation, violating this guidance. The fix ensures revocation only occurs after successful scope validation.

Reproduction

  1. Issue refresh token without scope
  2. Request refresh with invalid scope (e.g., scope=unauthorized)
  3. Before fix: Token destroyed, retry fails with "invalid grant"
  4. After fix: Token preserved, retry succeeds

@runeb runeb changed the title fix(refresh-token): validate scope before revoking token #757 fix(refresh-token): validate scope before revoking token #390 Jan 7, 2026
@runeb runeb force-pushed the fix/validate-scope-before-revoke branch from 2f58648 to 4abe326 Compare January 7, 2026 21:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@runeb