Use SolidQueue in production. Use the find_by_token method, rather than iterating over refresh tokens, as we already fixed for tokens

2025-12-31 14:32:34 +11:00
parent a17c08c890
commit 40815d3576
3 changed files with 9 additions and 15 deletions
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -482,14 +482,11 @@ class OidcController < ApplicationController
      return
    end

-    # Find the refresh token record
-    # Note: This is inefficient with BCrypt hashing, but necessary for security
-    # In production, consider adding a token prefix for faster lookup
-    refresh_token_record = OidcRefreshToken.where(application: application).find do |rt|
-      rt.token_matches?(refresh_token)
-    end
+    # Find the refresh token record using indexed token prefix lookup
+    refresh_token_record = OidcRefreshToken.find_by_token(refresh_token)

-    unless refresh_token_record
+    # Verify the token belongs to the correct application
+    unless refresh_token_record && refresh_token_record.application == application
      render json: { error: "invalid_grant", error_description: "Invalid refresh token" }, status: :bad_request
      return
    end
@@ -668,9 +665,7 @@ class OidcController < ApplicationController

    if token_type_hint == "refresh_token" || token_type_hint.nil?
      # Try to find as refresh token
-      refresh_token_record = OidcRefreshToken.where(application: application).find do |rt|
-        rt.token_matches?(token)
-      end
+      refresh_token_record = OidcRefreshToken.find_by_token(token)

      if refresh_token_record
        refresh_token_record.revoke!
@@ -681,9 +676,7 @@ class OidcController < ApplicationController

    if !revoked && (token_type_hint == "access_token" || token_type_hint.nil?)
      # Try to find as access token
-      access_token_record = OidcAccessToken.where(application: application).find do |at|
-        at.token_matches?(token)
-      end
+      access_token_record = OidcAccessToken.find_by_token(token)

      if access_token_record
        access_token_record.revoke!
--- a/app/models/oidc_refresh_token.rb
+++ b/app/models/oidc_refresh_token.rb
@@ -10,6 +10,7 @@ class OidcRefreshToken < ApplicationRecord
  before_validation :set_token_family_id, on: :create

  validates :token_digest, presence: true, uniqueness: true
+  validates :token_prefix, presence: true

  scope :valid, -> { where("expires_at > ?", Time.current).where(revoked_at: nil) }
  scope :expired, -> { where("expires_at <= ?", Time.current) }
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -57,8 +57,8 @@ Rails.application.configure do
  # Replace the default in-process memory cache store with a durable alternative.
  config.cache_store = :solid_cache_store

-  # Use async processor for background jobs (modify as needed for production)
-  config.active_job.queue_adapter = :async
+  # Use Solid Queue for background jobs
+  config.active_job.queue_adapter = :solid_queue

  # Ignore bad email addresses and do not raise email delivery errors.
  # Set this to true and configure the email server for immediate delivery to raise delivery errors.