Reject revoked OAuth tokens in API auth (#1711)

2026-05-09 21:54:58 +00:00 · 2026-05-09 01:39:10 +02:00
parent 8abecf8a8d
commit b74014ab42
2 changed files with 18 additions and 1 deletions
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@@ -62,7 +62,7 @@ class Api::V1::BaseController < ApplicationController
      # Check token validity and scope (read_write includes read access)
      has_sufficient_scope = access_token&.scopes&.include?("read") || access_token&.scopes&.include?("read_write")

-      unless access_token && !access_token.expired? && has_sufficient_scope
+      unless access_token&.accessible? && has_sufficient_scope
        render_json({ error: "unauthorized", message: "Access token is invalid, expired, or missing required scope" }, status: :unauthorized)
        return false
      end