Merge pull request #6 from SelfHacked/develop

Develop
SelfHacked · Sep 10, 2020 · 421f7f5 · 421f7f5
2 parents 22fab32 + 8ce9361
commit 421f7f5
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 2 deletions.
diff --git a/oidc_provider/admin.py b/oidc_provider/admin.py
@@ -6,7 +6,7 @@
 from django.contrib import admin
 from django.utils.translation import ugettext_lazy as _
 
-from oidc_provider.models import Client, Code, Token, RSAKey
+from oidc_provider.models import Client, Code, Token, RSAKey, RefreshToken
 
 
 class ClientForm(ModelForm):
@@ -90,3 +90,10 @@ def has_add_permission(self, request):
 class RSAKeyAdmin(admin.ModelAdmin):
 
     readonly_fields = ['kid']
+
+
+@admin.register(RefreshToken)
+class RefreshTokenAdmin(admin.ModelAdmin):
+
+    def has_add_permission(self, request):
+        return False
diff --git a/oidc_provider/lib/endpoints/token.py b/oidc_provider/lib/endpoints/token.py
@@ -133,6 +133,13 @@ def validate_params(self):
                 logger.debug(
                     '[Token] Refresh token expired: %s', self.params['refresh_token'])
                 raise TokenError('invalid_token')
+
+            if not self.refresh_token.user.is_active:
+                logger.debug(
+                    '[Token] User inactive for the token: %s',
+                    self.params['refresh_token'],
+                )
+                raise TokenError('invalid_token')
         elif self.params['grant_type'] == 'client_credentials':
             if not self.client._scope:
                 logger.debug('[Token] Client using client credentials with empty scope')

diff --git a/oidc_provider/tests/cases/test_token_endpoint.py b/oidc_provider/tests/cases/test_token_endpoint.py
@@ -465,6 +465,21 @@ def test_refresh_token_not_expired(self, scope=None):
         response = self._refresh_request(elapsed_time=(24 * 60 * 60) - 1)
         self.assertIn('id_token', response.content.decode('utf-8'))
 
+    @override_settings(OIDC_IDTOKEN_INCLUDE_CLAIMS=True)
+    @override_settings(OIDC_REFRESH_TOKEN_EXPIRE=24 * 60 * 60)
+    def test_refresh_token_user_inactive(self, scope=None):
+        """
+        Refresh token user status
+        Make sure that user of the refresh token is active.
+        """
+        # mark user as inactive
+        self.user.is_active = False
+        self.user.save()
+
+        # refresh token request
+        response = self._refresh_request(elapsed_time=(24 * 60 * 60) - 1)
+        self.assertIn('invalid_token', response.content.decode('utf-8'))
+
     def _refresh_request(self, elapsed_time):
         code = self._create_code()
         self.assertEqual(code.scope, ['openid', 'email'])

diff --git a/oidc_provider/version.py b/oidc_provider/version.py
@@ -1 +1 @@
-__version__ = '1.0.0'
+__version__ = '1.0.1'