bug #252 Unlink cleaned up access tokens from refresh tokens (frankdekker)

chalasr · chalasr · commit 242ea1f3d061 · 2025-11-01T01:24:16.000+01:00
This PR was squashed before being merged into the 1.x-dev branch. Discussion ---------- Unlink cleaned up access tokens from refresh tokens Fixes issue: #247 Breaking changes: no Changes `AccessTokenManager::clearExpiredTokens` to: - Find all access token identifiers that have expired. - Execute query to unlink these identifiers from possible refresh tokens. - Thirdly delete the access tokens with those ids. This order ensures that at no point in time there's a refresh token with an invalid access token reference. ## Testing There was already an existing unit test testing the above scenario but didn't trigger the issue because the entity manager wasn't cleared (and the test ran against the EntityManager memory instead of the database). As soon as I added the `$em->clear()` to the test the scenario above occurred. As the original object compare doesn't work anymore as the refresh tokens are actually retrieved from the db instead of the entity manager memory, the DateTime values and object references differ. The test now should find all unlinked refresh tokens. ## Technical choices Looking at the relation between RefreshToken and AccessToken, the relation is defined as `SET TO NULL` when the access token is deleted. However as the access tokens aren't deleted through the EntityManager this `SET TO NULL` is never triggered. An alternative implementation would be to retrieve all the expired AccessTokens and delete them through the EntityManager. However I think performance wise this will not be quick. Commits ------- f1b5c20 Unlink cleaned up access tokens from refresh tokens
diff --git a/src/Manager/Doctrine/AccessTokenManager.php b/src/Manager/Doctrine/AccessTokenManager.php
@@ -8,6 +8,7 @@
 use League\Bundle\OAuth2ServerBundle\Manager\AccessTokenManagerInterface;
 use League\Bundle\OAuth2ServerBundle\Model\AccessToken;
 use League\Bundle\OAuth2ServerBundle\Model\AccessTokenInterface;
+use League\Bundle\OAuth2ServerBundle\Model\RefreshToken;
 
 final class AccessTokenManager implements AccessTokenManagerInterface
 {
@@ -50,12 +51,39 @@ public function clearExpired(): int
             return 0;
         }
 
-        /** @var int */
-        return $this->entityManager->createQueryBuilder()
-            ->delete(AccessToken::class, 'at')
+        /** @var array{identifier: string}[] */
+        $results = $this->entityManager->createQueryBuilder()
+            ->select('at.identifier')
+            ->from(AccessToken::class, 'at')
             ->where('at.expiry < :expiry')
             ->setParameter('expiry', new \DateTimeImmutable(), 'datetime_immutable')
             ->getQuery()
+            ->getScalarResult();
+        if (0 === \count($results)) {
+            return 0;
+        }
+
+        /** @var string[] */
+        $ids = array_column($results, 'identifier');
+
+        // unlink access tokens from refresh tokens
+        $this->entityManager->createQueryBuilder()
+            ->update(RefreshToken::class, 'rt')
+            ->set('rt.accessToken', ':null')
+            ->where('rt.accessToken IN (:ids)')
+            ->setParameter('null', null)
+            ->setParameter('ids', $ids)
+            ->getQuery()
             ->execute();
+
+        // delete expired access tokens
+        $this->entityManager->createQueryBuilder()
+            ->delete(AccessToken::class, 'at')
+            ->where('at.identifier IN (:ids)')
+            ->setParameter('ids', $ids)
+            ->getQuery()
+            ->execute();
+
+        return \count($ids);
     }
 }
diff --git a/tests/Acceptance/DoctrineAccessTokenManagerTest.php b/tests/Acceptance/DoctrineAccessTokenManagerTest.php
@@ -123,10 +123,9 @@ public function testClearExpiredWithRefreshToken(): void
 
         $this->assertSame(3, $doctrineAccessTokenManager->clearExpired());
 
-        $this->assertSame(
-            $testData['output'],
-            $em->getRepository(RefreshToken::class)->findBy(['accessToken' => null], ['identifier' => 'ASC'])
-        );
+        $em->clear();
+
+        self::assertCount(3, $em->getRepository(RefreshToken::class)->findBy(['accessToken' => null], ['identifier' => 'ASC']));
     }
 
     public function testClearExpiredWithRefreshTokenWithoutSavingAccessToken(): void
