From 779e1d51ac1d50c5625a1cc403d732d74b364ccf Mon Sep 17 00:00:00 2001
From: Julien Veyssier <julien-nc@posteo.net>
Date: Tue, 29 Aug 2023 12:13:25 +0200
Subject: [PATCH] delete oauth access token when receiving a code that has
 expired

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
---
 apps/oauth2/lib/Controller/OauthApiController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php
index d1eda92b228..ecf0062918b 100644
--- a/apps/oauth2/lib/Controller/OauthApiController.php
+++ b/apps/oauth2/lib/Controller/OauthApiController.php
@@ -128,6 +128,9 @@ class OauthApiController extends Controller {
 			$now = $this->timeFactory->now()->getTimestamp();
 			$tokenCreatedAt = $accessToken->getCreatedAt();
 			if ($tokenCreatedAt < $now - self::AUTHORIZATION_CODE_EXPIRES_AFTER) {
+				// we know this token is not useful anymore
+				$this->accessTokenMapper->delete($accessToken);
+
 				$response = new JSONResponse([
 					'error' => 'invalid_request',
 				], Http::STATUS_BAD_REQUEST);