From e78b04427cab89c1d95682b32eee26d745e62a8e Mon Sep 17 00:00:00 2001
From: Master-Guy <master.guy.marcel@gmail.com>
Date: Mon, 4 Jan 2021 00:46:58 +0100
Subject: [PATCH 1/2] Logging out revokes your access_token through API

---
 src/server/middlewares/proxy.mjs |  6 ++++++
 src/store/actionTypes.js         |  1 +
 src/store/actions/session.js     | 19 +++++++++++++++++--
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/server/middlewares/proxy.mjs b/src/server/middlewares/proxy.mjs
index 3b64d6c06..1c57628f8 100644
--- a/src/server/middlewares/proxy.mjs
+++ b/src/server/middlewares/proxy.mjs
@@ -34,6 +34,12 @@ const configureProxies = (koaServer, env) => {
     target: env.api.url,
   }))
 
+  koaServer.use(createProxyWithDefaults('/api/oauth2/revoke', {
+    auth: `${env.api.clientId}:${env.api.clientSecret}`,
+    rewrite: stripPathSegment('api'),
+    target: env.api.url,
+  }))
+
   koaServer.use(createProxyWithDefaults('/api', {
     rewrite: stripPathSegment('api'),
     target: env.api.url,
diff --git a/src/store/actionTypes.js b/src/store/actionTypes.js
index 724fdcf95..4dc0af51e 100644
--- a/src/store/actionTypes.js
+++ b/src/store/actionTypes.js
@@ -87,6 +87,7 @@ const oauth = {
   authorize: {
     read: 'oauth/authorize/read',
     create: 'oauth/authorize/create',
+    delete: 'oauth/authorize/delete',
   },
 }
 
diff --git a/src/store/actions/session.js b/src/store/actions/session.js
index 4f84cf629..21cdc26f6 100644
--- a/src/store/actions/session.js
+++ b/src/store/actions/session.js
@@ -1,11 +1,13 @@
-import { createFSA } from '@fuelrats/web-util/actions'
+import { createFSA, createAxiosFSA } from '@fuelrats/web-util/actions'
 import { HttpStatus } from '@fuelrats/web-util/http'
 import { isError } from 'flux-standard-action'
 
 import { configureRequest, deleteCookie } from '~/helpers/gIPTools'
+import frApi from '~/services/fuelrats'
 
 import actionTypes from '../actionTypes'
 import {
+  selectSessionToken,
   selectPageRequiresAuth,
   selectSession,
   selectUserById,
@@ -22,9 +24,22 @@ import { getUserProfile } from './user'
  * @returns {Function} Redux action thunk
  */
 export const logout = (ctx) => {
-  return (dispatch, getState) => {
+  return async (dispatch, getState) => {
     deleteCookie('access_token', ctx)
 
+    const token = selectSessionToken(getState())
+
+    await dispatch(createAxiosFSA(
+      actionTypes.oauth.authorize.delete,
+      await frApi.request({
+        url: '/oauth2/revoke',
+        method: 'post',
+        data: {
+          token,
+        },
+      }),
+    ))
+
     return dispatch(
       createFSA(
         actionTypes.session.logout,

From 59ac34c532aa18cc5da7f03c5fb392e13c653763 Mon Sep 17 00:00:00 2001
From: Master-Guy <master.guy.marcel@gmail.com>
Date: Mon, 4 Jan 2021 15:00:54 +0100
Subject: [PATCH 2/2] Fixed review comments and added changelog info

---
 CHANGELOG.md                 | 2 ++
 src/store/actions/session.js | 7 ++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2f9d29e6..7940f248f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ For detailed rules of this file, see  [Changelog Rules](#changelog-rules)
 
 ### ⚡ Changed
 * Further improve message displayed when email validation token is invalid.
+* Logging out also removes your access token through the API, so your token cannot be used anywhere anymore. - [#305][]
 
 
 ### 🐛 Fixed
@@ -25,6 +26,7 @@ For detailed rules of this file, see  [Changelog Rules](#changelog-rules)
 * Perform some preparation steps for Webpack 5 and Yarn PnP.
 * Upgrade to Yarn 2 (but not PnP, that comes later when the bugs are solved).
 
+[#305]: https://github.com/fuelRats/fuelrats.com/pull/305
 [#303]: https://github.com/fuelRats/fuelrats.com/pull/303
 [#302]: https://github.com/fuelRats/fuelrats.com/pull/302
 [Unreleased]: https://github.com/FuelRats/fuelrats.com/compare/v2.12.6...HEAD
diff --git a/src/store/actions/session.js b/src/store/actions/session.js
index 21cdc26f6..2741b692c 100644
--- a/src/store/actions/session.js
+++ b/src/store/actions/session.js
@@ -26,10 +26,11 @@ import { getUserProfile } from './user'
 export const logout = (ctx) => {
   return async (dispatch, getState) => {
     deleteCookie('access_token', ctx)
+    const curState = getState()
 
-    const token = selectSessionToken(getState())
+    const token = selectSessionToken(curState)
 
-    await dispatch(createAxiosFSA(
+    dispatch(createAxiosFSA(
       actionTypes.oauth.authorize.delete,
       await frApi.request({
         url: '/oauth2/revoke',
@@ -44,7 +45,7 @@ export const logout = (ctx) => {
       createFSA(
         actionTypes.session.logout,
         {
-          waitForDestroy: Boolean(selectPageRequiresAuth(getState())),
+          waitForDestroy: Boolean(selectPageRequiresAuth(curState)),
         },
       ),
     )