Check that provider callback exists before refreshing tokens

joelbutcher · Sep 12, 2023 · 51df430 · 51df430
1 parent 006612b
commit 51df430
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/src/HasOauth2Tokens.php b/src/HasOauth2Tokens.php
@@ -46,6 +46,12 @@ protected function token(): Attribute
      */
     public function canRefreshToken(): bool
     {
+        $provider = $this->getAttribute('provider');
+
+        if (! (Socialstream::$refreshTokenResolvers[$provider] ?? null)) {
+            return false;
+        }
+
         return $this->hasExpiredToken() && $this->hasRefreshToken();
     }
 

diff --git a/tests/Unit/RefreshesOauthTokensTest.php b/tests/Unit/RefreshesOauthTokensTest.php
@@ -109,3 +109,23 @@
     $this->assertNotEquals('new-refresh-token', $connectedAccount->refresh_token);
     $this->assertEquals(null, $connectedAccount->secret);
 });
+
+it('does not allow refreshing tokens if a callback does not exist', function () {
+    $this->migrate();
+
+    $providerUser = new OAuth2User;
+    $providerUser->id = '1234567890';
+    $providerUser->name = 'Joel Butcher';
+    $providerUser->email = '[email protected]';
+    $providerUser->token = Str::random(64);
+    $providerUser->refreshToken = Str::random(64);
+    $providerUser->expiresIn = 0;
+
+    sleep(1);
+
+    $createAction = new CreateUserFromProvider(new CreateConnectedAccount);
+    $user = $createAction->create('custom-provider', $providerUser);
+    $connectedAccount = $user->currentConnectedAccount;
+
+    $this->assertFalse($connectedAccount->canRefreshToken());
+});