tests for #229

masci · masci · commit 8beabc796d59 · 2015-05-24T11:10:44.000+02:00
diff --git a/oauth2_provider/tests/test_authorization_code.py b/oauth2_provider/tests/test_authorization_code.py
@@ -10,7 +10,7 @@
 from django.utils import timezone
 
 from ..compat import urlparse, parse_qs, urlencode, get_user_model
-from ..models import get_application_model, Grant, AccessToken
+from ..models import get_application_model, Grant, AccessToken, RefreshToken
 from ..settings import oauth2_settings
 from ..views import ProtectedResourceView
 
@@ -547,6 +547,37 @@ def test_refresh(self):
         content = json.loads(response.content.decode("utf-8"))
         self.assertTrue('invalid_grant' in content.values())
 
+    def test_refresh_invalidates_old_tokens(self):
+        """
+        Ensure existing refresh tokens are cleaned up when issuing new ones
+        """
+        self.client.login(username="test_user", password="123456")
+        authorization_code = self.get_auth()
+
+        token_request_data = {
+            'grant_type': 'authorization_code',
+            'code': authorization_code,
+            'redirect_uri': 'http://example.it'
+        }
+        auth_headers = self.get_basic_auth_header(self.application.client_id, self.application.client_secret)
+
+        response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
+        content = json.loads(response.content.decode("utf-8"))
+
+        rt = content['refresh_token']
+        at = content['access_token']
+
+        token_request_data = {
+            'grant_type': 'refresh_token',
+            'refresh_token': rt,
+            'scope': content['scope'],
+        }
+        response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
+        self.assertEqual(response.status_code, 200)
+
+        self.assertFalse(RefreshToken.objects.filter(token=rt).exists())
+        self.assertFalse(AccessToken.objects.filter(token=at).exists())
+
     def test_refresh_no_scopes(self):
         """
         Request an access token using a refresh token without passing any scope
diff --git a/oauth2_provider/tests/test_token_revocation.py b/oauth2_provider/tests/test_token_revocation.py
@@ -118,6 +118,7 @@ def test_revoke_refresh_token(self):
         response = self.client.post(url)
         self.assertEqual(response.status_code, 200)
         self.assertFalse(RefreshToken.objects.filter(id=rtok.id).exists())
+        self.assertFalse(AccessToken.objects.filter(id=rtok.access_token.id).exists())
 
     def test_revoke_token_with_wrong_hint(self):
         """
