revoke unused OAuth2 tokens on signout

chrome/browser/signin/signin_manager.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/signin/signin_manager.h"
 
 #include <string>
 #include <vector>
 
 #include "base/command_line.h"
@@ skipping 310 matching lines @@
     HandleAuthError(GoogleServiceAuthError(
         GoogleServiceAuthError::ACCOUNT_DISABLED), true);
     return false;
   }
 
   // This attempt is either 1) the user trying to establish initial sync, or
   // 2) trying to refresh credentials for an existing username.  If it is 2, we
   // need to try again, but take care to leave state around tracking that the
   // user has successfully signed in once before with this username, so that on
   // restart we don't think sync setup has never completed.
+  RevokeOAuthLoginToken();

[tim (not reviewing), 2013/03/29 22:41:25]

Note that as of M26+ we won't actually go through this
StartSignin/PrepareForSignin flow. This path is only used for client-login. 
(Anecdotally https://codereview.chromium.org/12502017/ will remove it from
chrome os altogether).

OneClickSigninHelper has most of the code responsible for the new flows. A fair
chunk of that should likely be moved to SigninManager since that is now the
primary signin flow, but for now it still lives there.  Roger, do you know where
we should put this revocation code?

[Roger Tawa OOO till Jul 10th, 2013/03/31 18:16:30]

All sign in flows go through PrepareForSignin(), so putting code here will run
in M26+.

   ClearTransientSigninData();
   type_ = type;
   possibly_invalid_username_.assign(username);
   password_.assign(password);
 
   client_login_.reset(new GaiaAuthFetcher(this,
                                           GaiaConstants::kChromeSource,
                                           profile_->GetRequestContext()));
 
   NotifyDiagnosticsObservers(SIGNIN_TYPE, SigninTypeToString(type));
@@ skipping 210 matching lines @@
   NotifyDiagnosticsObservers(USERNAME, "");
   NotifyDiagnosticsObservers(LSID, "");
   NotifyDiagnosticsObservers(
       signin_internals_util::SID, "");
 
   TokenService* token_service = TokenServiceFactory::GetForProfile(profile_);
   content::NotificationService::current()->Notify(
       chrome::NOTIFICATION_GOOGLE_SIGNED_OUT,
       content::Source<Profile>(profile_),
       content::Details<const GoogleServiceSignoutDetails>(&details));
+  RevokeOAuthLoginToken();
   token_service->ResetCredentialsInMemory();
   token_service->EraseTokensFromDB();
 }
 
+void SigninManager::RevokeOAuthLoginToken() {
+  TokenService* token_service = TokenServiceFactory::GetForProfile(profile_);
+  if (token_service->HasOAuthLoginToken()) {
+    revoke_token_fetcher_.reset(
+        new GaiaAuthFetcher(this,
+                            GaiaConstants::kChromeSource,
+                            profile_->GetRequestContext()));
+    revoke_token_fetcher_->StartRevokeOAuth2Token(
+        token_service->GetOAuth2LoginRefreshToken());
+  }
+}
+
+void SigninManager::OnOAuth2RevokeTokenCompleted() {
+  revoke_token_fetcher_.reset(NULL);
+}
+
 bool SigninManager::AuthInProgress() const {
   return !possibly_invalid_username_.empty();
 }
 
 void SigninManager::OnGetUserInfoKeyNotFound(const std::string& key) {
   DCHECK(key == kGetInfoDisplayEmailKey || key == kGetInfoEmailKey);
   LOG(ERROR) << "Account is not associated with a valid email address. "
              << "Login failed.";
   OnClientLoginFailure(GoogleServiceAuthError(
       GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS));
@@ skipping 361 matching lines @@
                     NotifySigninValueChanged(field, value));
 }
 
 void SigninManager::NotifyDiagnosticsObservers(
     const TimedSigninStatusField& field,
     const std::string& value) {
   FOR_EACH_OBSERVER(SigninDiagnosticsObserver,
                     signin_diagnostics_observers_,
                     NotifySigninValueChanged(field, value));
 }