revoke unused OAuth2 tokens on signout and re-signin

chrome/browser/signin/signin_manager.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/signin/signin_manager.h"
 
 #include <string>
 #include <vector>
 
 #include "base/command_line.h"
@@ skipping 310 matching lines @@
     HandleAuthError(GoogleServiceAuthError(
         GoogleServiceAuthError::ACCOUNT_DISABLED), true);
     return false;
   }
 
   // This attempt is either 1) the user trying to establish initial sync, or
   // 2) trying to refresh credentials for an existing username.  If it is 2, we
   // need to try again, but take care to leave state around tracking that the
   // user has successfully signed in once before with this username, so that on
   // restart we don't think sync setup has never completed.
+  RevokeOAuthLoginToken();
   ClearTransientSigninData();
   type_ = type;
   possibly_invalid_username_.assign(username);
   password_.assign(password);
 
   client_login_.reset(new GaiaAuthFetcher(this,
                                           GaiaConstants::kChromeSource,
                                           profile_->GetRequestContext()));
 
   NotifyDiagnosticsObservers(SIGNIN_TYPE, SigninTypeToString(type));
@@ skipping 210 matching lines @@
   NotifyDiagnosticsObservers(USERNAME, "");
   NotifyDiagnosticsObservers(LSID, "");
   NotifyDiagnosticsObservers(
       signin_internals_util::SID, "");
 
   TokenService* token_service = TokenServiceFactory::GetForProfile(profile_);
   content::NotificationService::current()->Notify(
       chrome::NOTIFICATION_GOOGLE_SIGNED_OUT,
       content::Source<Profile>(profile_),
       content::Details<const GoogleServiceSignoutDetails>(&details));
+  RevokeOAuthLoginToken();
   token_service->ResetCredentialsInMemory();
   token_service->EraseTokensFromDB();
 }
 
+void SigninManager::RevokeOAuthLoginToken() {
+  TokenService* token_service = TokenServiceFactory::GetForProfile(profile_);
+  if (token_service->HasOAuthLoginToken()) {
+    revoke_token_fetcher_.reset(
+        new GaiaAuthFetcher(this,
+                            GaiaConstants::kChromeSource,
+                            profile_->GetRequestContext()));
+    revoke_token_fetcher_->StartRevokeOAuth2Token(
+        token_service->GetOAuth2LoginRefreshToken());
+  }
+}
+
+void SigninManager::OnOAuth2RevokeTokenCompleted() {
+  revoke_token_fetcher_.reset(NULL);
+}
+
 bool SigninManager::AuthInProgress() const {
   return !possibly_invalid_username_.empty();
 }
 
 void SigninManager::OnGetUserInfoKeyNotFound(const std::string& key) {
   DCHECK(key == kGetInfoDisplayEmailKey || key == kGetInfoEmailKey);
   LOG(ERROR) << "Account is not associated with a valid email address. "
              << "Login failed.";
   OnClientLoginFailure(GoogleServiceAuthError(
       GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS));
@@ skipping 361 matching lines @@
                     NotifySigninValueChanged(field, value));
 }
 
 void SigninManager::NotifyDiagnosticsObservers(
     const TimedSigninStatusField& field,
     const std::string& value) {
   FOR_EACH_OBSERVER(SigninDiagnosticsObserver,
                     signin_diagnostics_observers_,
                     NotifySigninValueChanged(field, value));
 }