Refresh token revoked before scope validation

[runeb]

Specify your setup

• Operating System: Linux (Debian 12.12)
• Node version: 24.12.0
• npm version: N/A (using pnpm)
• version of @node-oauth/oauth2-server: 5.2.0
• which OAuth2 workflow: Refresh Token Grant (RFC 6749 Section 6)
• at which workflow step: Token refresh with scope parameter

Describe the bug

When refreshing a token with invalid scopes, the refresh token is revoked before scope validation. If validation fails, the token is destroyed without creating a replacement, permanently breaking authentication.

To Reproduce

1. Issue refresh token without scope
2. Client requests refresh with scope=some-scope
3. revokeToken() destroys the token (line 57)
4. getScope() throws InvalidScopeError (line 59)
5. Client retries without scope
6. Receives "Invalid grant: refresh token is invalid"

Expected behavior

Scope validation should occur before revocation. Invalid scope requests should fail without destroying the token.

Additional context

The fix is to swap lines 57 and 59 in lib/grant-types/refresh-token-grant-type.js to validate scope before revoking. Similar to issue #82 which addressed authorization code revocation timing.

[jankapunkt]

Hey @runeb thank you very much for revealing this one. I will review tomorrow, please make sure to update the tests accordingly.

[runeb]

@jankapunkt Thanks for the quick reply, I will add a test for this case

[runeb]

@jankapunkt I didn't find an existing test for testing invalid extra scope in refresh requests, so I made the test more generally about that, with assertions that revoke and save are not called on the model when returning "Invalid scope: Unable to add extra scopes"

[jankapunkt]

Thanks @runeb

[jankapunkt]

@runeb this is merged and released in 5.2.2-rc.0 please install via npm i @node-oauth/oauth2-server@5.2.2-rc.0 and let me know if anything unexpectedly breaks.