From 936b8f93ecc84e2e90fbb3c34ce765aa4327a166 Mon Sep 17 00:00:00 2001
From: Alex Bilbie <hello@alexbilbie.com>
Date: Wed, 13 Jan 2016 00:38:23 +0000
Subject: [PATCH] Addititonal refresh token validation

---
 src/Grant/RefreshTokenGrant.php | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/Grant/RefreshTokenGrant.php b/src/Grant/RefreshTokenGrant.php
index e3ba3029..d84de59d 100644
--- a/src/Grant/RefreshTokenGrant.php
+++ b/src/Grant/RefreshTokenGrant.php
@@ -124,10 +124,14 @@ class RefreshTokenGrant extends AbstractGrant
         }
 
         $validation = new ValidationData();
-        $validation->setAudience($client->getIdentifier());
-        $validation->setCurrentTime(time());
+        $validation->setAudience($client->getIdentifier()); // Validates refresh token hasn't expired
+        $validation->setCurrentTime(time()); // Validates token hasn't expired
         if ($oldRefreshToken->validate($validation) === false) {
-            throw OAuthServerException::invalidRefreshToken();
+            throw OAuthServerException::invalidRefreshToken('Token has expired or is not linked to client');
+        }
+
+        if ($oldRefreshToken->getClaim('type') !== 'refreshToken') {
+            throw OAuthServerException::invalidRefreshToken('Token is not a refresh token');
         }
 
         // Get the scopes for the original session
@@ -159,7 +163,7 @@ class RefreshTokenGrant extends AbstractGrant
         $accessToken->setIdentifier(SecureKey::generate());
         $accessToken->setExpiryDateTime((new \DateTime())->add($tokenTTL));
         $accessToken->setClient($client);
-        $accessToken->setUserIdentifier($oldRefreshToken->getClaim('uid'));
+        $accessToken->setUserIdentifier($oldRefreshToken->getClaim('sub'));
         foreach ($newScopes as $scope) {
             $accessToken->addScope($scope);
         }