Class: StandardId::Oauth::RefreshTokenFlow

Inherits:

TokenGrantFlow

• Object
• BaseRequestFlow
• TokenGrantFlow
• StandardId::Oauth::RefreshTokenFlow

Defined in:

lib/standard_id/oauth/refresh_token_flow.rb

Instance Attribute Summary

Attributes inherited from TokenGrantFlow

#params, #request

Attributes inherited from BaseRequestFlow

#current_account, #params, #request

Instance Method Summary

• #authenticate! ⇒ Object
• #execute ⇒ Object

  authenticate! runs outside the transaction so reuse-detection revocations (revoke_family!) persist even when the error propagates.

Methods inherited from TokenGrantFlow

extra_permitted_keys, #initialize

Methods inherited from BaseRequestFlow

expect_params, expected_params, extra_permitted_keys, #initialize, permit_params, permitted_params

Constructor Details

This class inherits a constructor from StandardId::Oauth::TokenGrantFlow

Instance Method Details

#authenticate! ⇒ Object

Raises:

• (StandardId::InvalidGrantError)

# File 'lib/standard_id/oauth/refresh_token_flow.rb', line 27

def authenticate!
  validate_client_secret!(params[:client_id], params[:client_secret]) if params[:client_secret].present?

  @refresh_payload = StandardId::JwtService.decode(params[:refresh_token])
  raise StandardId::InvalidGrantError, "Invalid or expired refresh_token" if @refresh_payload.blank?

  if @refresh_payload[:client_id] != params[:client_id]
    raise StandardId::InvalidGrantError, "Refresh token was not issued to this client"
  end

  validate_refresh_token_record!
  validate_scope_narrowing!
end

#execute ⇒ Object

authenticate! runs outside the transaction so reuse-detection revocations (revoke_family!) persist even when the error propagates. Only the normal rotation path (revoke old + create new) is wrapped in a transaction for atomicity.

# File 'lib/standard_id/oauth/refresh_token_flow.rb', line 11

def execute
  authenticate!
  response = nil
  StandardId::RefreshToken.transaction do
    rotate_current_refresh_token!
    response = generate_token_response
  end

  # If rotate detected a concurrent reuse (rows==0), the transaction
  # was rolled back via ActiveRecord::Rollback and response is nil.
  # Handle family revocation outside the transaction so it persists.
  handle_concurrent_reuse! unless response

  response
end