Ensure refresh token returned is new after use

Sephster · Sephster · commit 234aafec5b93 · 2024-10-14T23:12:25.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #1428)
 - Fixed bug where "state" parameter wasn't present on `invalid_scope` error response and wasn't on fragment part of `access_denied` redirect URI on Implicit grant (PR #1298) 
 - Fixed bug where disabling refresh token revocation via `revokeRefreshTokens(false)` unintentionally disables issuing new refresh token (PR #1449)
-- 
+
 ## [9.0.0] - released 2024-05-13
 ### Added
 - Device Authorization Grant added (PR #1074)
diff --git a/tests/Grant/RefreshTokenGrantTest.php b/tests/Grant/RefreshTokenGrantTest.php
@@ -594,10 +594,10 @@ public function testRespondToRequestFinalizeScopes(): void
         );
 
         $serverRequest = (new ServerRequest())->withParsedBody([
-           'client_id'     => 'foo',
-           'client_secret' => 'bar',
-           'refresh_token' => $encryptedOldRefreshToken,
-           'scope'         =>  'foo bar',
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'refresh_token' => $encryptedOldRefreshToken,
+            'scope'         =>  'foo bar',
         ]);
 
         $responseType = new StubResponseType();
@@ -630,7 +630,7 @@ public function testRevokedRefreshToken(): void
 
         $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
         $refreshTokenRepositoryMock->method('isRefreshTokenRevoked')
-             ->will(self::onConsecutiveCalls(false, true));
+            ->will(self::onConsecutiveCalls(false, true));
         $refreshTokenRepositoryMock->expects(self::once())->method('revokeRefreshToken')->with(self::equalTo($refreshTokenId));
 
         $oldRefreshToken = json_encode(
@@ -728,12 +728,14 @@ public function testUnrevokedRefreshToken(): void
             'scope'         => 'foo',
         ]);
 
+        $privateKey = new CryptKey('file://' . __DIR__ . '/../Stubs/private.key');
+
         $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setScopeRepository($scopeRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey($privateKey = new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setPrivateKey($privateKey);
         $grant->revokeRefreshTokens(false);
 
         $responseType = new BearerTokenResponse();
@@ -750,5 +752,6 @@ public function testUnrevokedRefreshToken(): void
         self::assertObjectHasProperty('expires_in', $json);
         self::assertObjectHasProperty('access_token', $json);
         self::assertObjectHasProperty('refresh_token', $json);
+        self::assertNotSame($json->refresh_token, $encryptedOldRefreshToken);
     }
 }
