From 3f62d1c71bd02b69366da5b7a3b49d0f78a33a09 Mon Sep 17 00:00:00 2001
From: Emmanuelle Bonnemay <emmanuelle.bonnemay@pix.fr>
Date: Wed, 29 Jan 2025 16:05:30 +0100
Subject: [PATCH] feat(api): check if access token is revoked in authentication
 process

---
 api/lib/infrastructure/authentication.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/api/lib/infrastructure/authentication.js b/api/lib/infrastructure/authentication.js
index cd4ac21f616..716516cad15 100644
--- a/api/lib/infrastructure/authentication.js
+++ b/api/lib/infrastructure/authentication.js
@@ -1,6 +1,7 @@
 import boom from '@hapi/boom';
 import lodash from 'lodash';
 
+import * as revokedUserAccessRepository from '../../src/identity-access-management/infrastructure/repositories/revoked-user-access.repository.js';
 import { getForwardedOrigin } from '../../src/identity-access-management/infrastructure/utils/network.js';
 import { config } from '../../src/shared/config.js';
 import { tokenService } from '../../src/shared/domain/services/token-service.js';
@@ -88,9 +89,14 @@ async function _checkIsAuthenticated(request, h, { key, validate }) {
     return boom.unauthorized();
   }
 
+  const userId = decodedAccessToken.user_id;
   // Only tokens including user_id are User Access Tokens.
   // This is why applications Access Tokens are not subject to audience validation for now.
-  if (decodedAccessToken.user_id && config.featureToggles.isUserTokenAudConfinementEnabled) {
+  if (config.featureToggles.isUserTokenAudConfinementEnabled && userId) {
+    const revokedUserAccess = await revokedUserAccessRepository.findByUserId(userId);
+    if (revokedUserAccess.isAccessTokenRevoked(decodedAccessToken)) {
+      return boom.unauthorized();
+    }
     const audience = getForwardedOrigin(request.headers);
     if (decodedAccessToken.aud !== audience) {
       return boom.unauthorized();