From 6b1b3abfe97cde181d09313c93ab8317671daa6c Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Tue, 10 Dec 2024 17:45:52 +0100
Subject: [PATCH] Mark access token as used when calling the userinfo endpoint

---
 crates/axum-utils/src/user_authorization.rs | 5 +++++
 crates/handlers/src/oauth2/userinfo.rs      | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/crates/axum-utils/src/user_authorization.rs b/crates/axum-utils/src/user_authorization.rs
index 66ec7cd3d..eb71ad5a4 100644
--- a/crates/axum-utils/src/user_authorization.rs
+++ b/crates/axum-utils/src/user_authorization.rs
@@ -117,6 +117,11 @@ impl<F: Send> UserAuthorization<F> {
             return Err(AuthorizationVerificationError::InvalidToken);
         }
 
+        if !token.is_used() {
+            // Mark the token as used
+            repo.oauth2_access_token().mark_used(clock, token).await?;
+        }
+
         Ok(session)
     }
 }
diff --git a/crates/handlers/src/oauth2/userinfo.rs b/crates/handlers/src/oauth2/userinfo.rs
index 6618f063b..c3223482b 100644
--- a/crates/handlers/src/oauth2/userinfo.rs
+++ b/crates/handlers/src/oauth2/userinfo.rs
@@ -142,6 +142,8 @@ pub async fn get(
         .await?
         .ok_or(RouteError::NoSuchClient)?;
 
+    repo.save().await?;
+
     if let Some(alg) = client.userinfo_signed_response_alg {
         let key = key_store
             .signing_key_for_algorithm(&alg)