From cb2fef0cb061c1811100e68f604b3fc3cca59fc9 Mon Sep 17 00:00:00 2001
From: Gaspard Lonchampt <gaspard.lonchampt@beta.gouv.fr>
Date: Sun, 15 Dec 2024 20:45:01 +0100
Subject: [PATCH] fix(authentification): delete all refresh token

---
 app/helpers/authentication.py            | 36 ++++++++++++++++++------
 app/helpers/authentication_controller.py | 29 ++++++++++++++++---
 2 files changed, 52 insertions(+), 13 deletions(-)

diff --git a/app/helpers/authentication.py b/app/helpers/authentication.py
index 0755e799..e4e28440 100644
--- a/app/helpers/authentication.py
+++ b/app/helpers/authentication.py
@@ -400,18 +400,36 @@ def logout():
 @jwt_required(refresh=True)
 def delete_refresh_token():
     from app.models.refresh_token import RefreshToken
-    from app.models.controller_refresh_token import ControllerRefreshToken
+    from app.helpers.authentication_controller import (
+        delete_controller_refresh_token,
+    )
 
     identity = get_jwt_identity()
     if identity.get("controller"):
-        matching_refresh_token = ControllerRefreshToken.get_token(
-            token=identity.get("token"),
-            controller_user_id=identity.get("controllerUserId"),
-        )
+        delete_controller_refresh_token()
     else:
+        user_id = identity.get("id")
         matching_refresh_token = RefreshToken.get_token(
-            token=identity.get("token"), user_id=identity.get("id")
+            token=identity.get("token"),
+            user_id=user_id,
         )
-    if not matching_refresh_token:
-        raise AuthenticationError("Refresh token is invalid")
-    db.session.delete(matching_refresh_token)
+
+        if matching_refresh_token:
+            db.session.delete(matching_refresh_token)
+            app.logger.info(
+                f"Matching refresh token {identity.get('token')} deleted for user {user_id}"
+            )
+        else:
+            refresh_tokens = RefreshToken.query.filter_by(
+                user_id=user_id
+            ).all()
+
+            app.logger.warning(
+                f"No matching refresh token found. Deleting all {len(refresh_tokens)} tokens for user {user_id}"
+            )
+
+            for token in refresh_tokens:
+                db.session.delete(token)
+
+        db.session.commit()
+        app.logger.info(f"Completed token cleanup for user {user_id}")
diff --git a/app/helpers/authentication_controller.py b/app/helpers/authentication_controller.py
index 0afa1ba5..d9fffbeb 100644
--- a/app/helpers/authentication_controller.py
+++ b/app/helpers/authentication_controller.py
@@ -148,10 +148,31 @@ def delete_controller_refresh_token():
     from app.models.controller_refresh_token import ControllerRefreshToken
 
     identity = get_jwt_identity()
+    controller_user_id = identity.get("controllerUserId")
+
     matching_refresh_token = ControllerRefreshToken.get_token(
         token=identity.get("token"),
-        controller_user_id=identity.get("controllerUserId"),
+        controller_user_id=controller_user_id,
+    )
+
+    if matching_refresh_token:
+        db.session.delete(matching_refresh_token)
+        app.logger.info(
+            f"Matching refresh token {identity.get('token')} deleted for controller {controller_user_id}"
+        )
+    else:
+        refresh_tokens = ControllerRefreshToken.query.filter_by(
+            controller_user_id=controller_user_id
+        ).all()
+
+        app.logger.warning(
+            f"No matching refresh token found. Deleting all {len(refresh_tokens)} tokens for controller {controller_user_id}"
+        )
+
+        for token in refresh_tokens:
+            db.session.delete(token)
+
+    db.session.commit()
+    app.logger.info(
+        f"Completed token cleanup for controller {controller_user_id}"
     )
-    if not matching_refresh_token:
-        raise AuthenticationError("Refresh token is invalid")
-    db.session.delete(matching_refresh_token)