ory · aeneasr · Nov 17, 2016 · Nov 17, 2016
@@ -1,6 +1,12 @@
 This is a list of breaking changes. As long as `1.0.0` is not released, breaking changes will be addressed as minor version
 bumps (`0.1.0` -> `0.2.0`).
 
+## 0.6.0
+
+A bug related to refresh tokens was found. To mitigate it, a `Clone()` method has been introduced to the `fosite.Session` interface.
+If you use a custom session object, this will be a breaking change. Fosite's default sessions have been upgraded and no additional
+work should be required. If you use your own session struct, we encourage using package `gob/encoding` to deep-copy it in `Clone()`.
+
 ## 0.5.0
 
 Breaking changes:

@@ -57,7 +57,7 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
 		return errors.Wrap(fosite.ErrInvalidRequest, "Client ID mismatch")
 	}
 
-	request.SetSession(originalRequest.GetSession())
+	request.SetSession(originalRequest.GetSession().Clone())
 	request.SetRequestedScopes(originalRequest.GetRequestedScopes())
 	for _, scope := range originalRequest.GetGrantedScopes() {
 		request.GrantScope(scope)

@@ -90,7 +90,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 				}, nil)
 			},
 			expect: func() {
-				assert.Equal(t, sess, areq.Session)
+				assert.NotEqual(t, sess, areq.Session)
 				assert.NotEqual(t, time.Now().Add(-time.Hour).Round(time.Hour), areq.RequestedAt)
 				assert.Equal(t, fosite.Arguments{"foo", "offline"}, areq.GrantedScopes)
 				assert.Equal(t, fosite.Arguments{"foo", "bar"}, areq.Scopes)

@@ -4,6 +4,8 @@ import (
 	"github.com/ory-am/fosite"
 	"github.com/ory-am/fosite/token/jwt"
 	"time"
+	"bytes"
+	"encoding/gob"
 )
 
 type JWTSessionContainer interface {
@@ -71,3 +73,13 @@ func (s *JWTSession) GetSubject() string {
 
 	return s.Subject
 }
+
+func (s *JWTSession) Clone() fosite.Session {
+	var clone JWTSession
+	var mod bytes.Buffer
+	enc := gob.NewEncoder(&mod)
+	dec := gob.NewDecoder(&mod)
+	_ = enc.Encode(s)
+	_ = dec.Decode(&clone)
+	return &clone
+}
@@ -2,13 +2,14 @@ package openid
 
 import (
 	"net/http"
-
+	"encoding/gob"
 	"time"
 
 	"github.com/ory-am/fosite"
 	"github.com/ory-am/fosite/token/jwt"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
+	"bytes"
 )
 
 const defaultExpiryTime = time.Hour
@@ -36,6 +37,17 @@ func NewDefaultSession() *DefaultSession {
 	}
 }
 
+func (s *DefaultSession) Clone() fosite.Session {
+	var clone DefaultSession
+	var mod bytes.Buffer
+	enc := gob.NewEncoder(&mod)
+	dec := gob.NewDecoder(&mod)
+	_ = enc.Encode(s)
+	_ = dec.Decode(&clone)
+	return &clone
+}
+
+
 func (s *DefaultSession) SetExpiresAt(key fosite.TokenType, exp time.Time) {
 	if s.ExpiresAt == nil {
 		s.ExpiresAt = make(map[fosite.TokenType]time.Time)

@@ -1,6 +1,10 @@
 package fosite
 
-import "time"
+import (
+	"time"
+	"bytes"
+	"encoding/gob"
+)
 
 // Session is an interface that is used to store session data between OAuth2 requests. It can be used to look up
 // when a session expires or what the subject's name was.
@@ -20,6 +24,9 @@ type Session interface {
 
 	// GetSubject returns the subject, if set. This is optional and only used during token introspection.
 	GetSubject() string
+
+	// Clone clones the session.
+	Clone() Session
 }
 
 // DefaultSession is a default implementation of the session interface.
@@ -61,3 +68,13 @@ func (s *DefaultSession) GetSubject() string {
 
 	return s.Subject
 }
+
+func (s *DefaultSession) Clone() Session {
+	var clone DefaultSession
+	var mod bytes.Buffer
+	enc := gob.NewEncoder(&mod)
+	dec := gob.NewDecoder(&mod)
+	_ = enc.Encode(s)
+	_ = dec.Decode(&clone)
+	return &clone
+}