fix: remove registration access token when client is deleted

fixes #555
panva · Oct 22, 2019 · e24ad4a · e24ad4a
1 parent 9e015e9
commit e24ad4a
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/lib/actions/registration.js b/lib/actions/registration.js
@@ -289,6 +289,7 @@ module.exports = {
       const { oidc: { provider } } = ctx;
 
       await instance(provider).clientRemove(ctx.oidc.client.clientId);
+      await ctx.oidc.entities.RegistrationAccessToken.destroy();
 
       ctx.status = 204;
 

diff --git a/test/registration_management/registration_management.test.js b/test/registration_management/registration_management.test.js
@@ -267,14 +267,18 @@ describe('OAuth 2.0 Dynamic Client Registration Management Protocol', () => {
   });
 
   describe('Client Delete Request', () => {
-    it('responds w/ empty 204 and nocache headers', async function () {
+    it('responds w/ empty 204 and nocache headers and removes the registration access token', async function () {
       const client = await setup.call(this, {});
-      return this.agent.del(`/reg/${client.client_id}`)
+      await this.agent.del(`/reg/${client.client_id}`)
         .auth(client.registration_access_token, { type: 'bearer' })
         .expect('pragma', 'no-cache')
         .expect('cache-control', 'no-cache, no-store')
         .expect('') // empty body
         .expect(204);
+
+      expect(
+        await this.provider.RegistrationAccessToken.find(client.registration_access_token),
+      ).to.be.undefined;
     });
 
     it('populates ctx.oidc.entities', function (done) {