fix: refresh token param in string

server/handlers/authorize.go

@@ -275,7 +275,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 			sessionstore.RemoveState(sessionToken)
 			sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
 			sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
-
+			cookie.SetSession(gc, authToken.FingerPrintHash)
 			expiresIn := int64(1800)
 
 			// used of query mode
@@ -294,9 +294,6 @@ func AuthorizeHandler() gin.HandlerFunc {
 				res["refresh_token"] = authToken.RefreshToken.Token
 				params += "&refresh_token=" + authToken.RefreshToken.Token
 				sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
-			} else {
-				// set session if not offline access
-				cookie.SetSession(gc, authToken.FingerPrintHash)
 			}
 
 			if isQuery {

server/handlers/oauth_callback.go

@@ -158,7 +158,7 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
 
 		if authToken.RefreshToken != nil {
-			params = params + `&refresh_token=${refresh_token}`
+			params = params + `&refresh_token=` + authToken.RefreshToken.Token
 			sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
 		}
 

server/handlers/token.go

@@ -143,6 +143,8 @@ func TokenHandler() gin.HandlerFunc {
 			userID = claims["sub"].(string)
 			roles = claims["roles"].([]string)
 			scope = claims["scope"].([]string)
+			// remove older refresh token and rotate it for security
+			sessionstore.RemoveState(refreshToken)
 		}
 
 		user, err := db.Provider.GetUserByID(userID)