+ test "does not reuse expired tokens",
+ %{
+ conn: conn
+ } do
+ user = insert(:user)
+
+ app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+
+ other_app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+
+ token = insert(:oauth_token, user: user, app: app)
+
+ _not_reusable_token =
+ insert(:oauth_token,
+ app: other_app,
+ user: user,
+ valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), -60 * 100)
+ )
+
+ conn =
+ conn
+ |> put_req_header("authorization", "Bearer #{token.token}")
+ |> get(
+ "/oauth/authorize",
+ %{
+ "response_type" => "code",
+ "client_id" => other_app.client_id,
+ "redirect_uri" => OAuthController.default_redirect_uri(other_app),
+ "scope" => "read"
+ }
+ )
+
+ assert html_response(conn, 200) =~ ~s(type="submit")
+ end
+
+ test "does not reuse tokens with the wrong scopes",
+ %{
+ conn: conn
+ } do
+ user = insert(:user)
+
+ app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+
+ other_app = insert(:oauth_app, redirect_uris: "https://redirect.url")
+
+ token = insert(:oauth_token, user: user, app: app, scopes: ["read"])
+
+ _not_reusable_token =
+ insert(:oauth_token,
+ app: other_app,
+ user: user
+ )
+
+ conn =
+ conn
+ |> put_req_header("authorization", "Bearer #{token.token}")
+ |> get(
+ "/oauth/authorize",
+ %{
+ "response_type" => "code",
+ "client_id" => other_app.client_id,
+ "redirect_uri" => OAuthController.default_redirect_uri(other_app),
+ "scope" => "read write"
+ }
+ )
+
+ assert html_response(conn, 200) =~ ~s(type="submit")
+ end
+