From ed0ba9d516d56861ed733e2f9b9a3f0d7b9254dd Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 25 Jun 2025 13:18:19 +0000
Subject: [PATCH] client: Require full authentication when the refresh token
 has expired

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/pakfire/client.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/pakfire/client.c b/src/pakfire/client.c
index 4037e69b..7da899fe 100644
--- a/src/pakfire/client.c
+++ b/src/pakfire/client.c
@@ -151,6 +151,8 @@ ERROR:
 static int pakfire_client_auth_response(struct pakfire_xfer* xfer,
 	pakfire_xfer_error_code_t code, json_object* response, void* data);
 
+static int pakfire_client_auth_required(struct pakfire_client* self);
+
 /*
 	Triggers a refresh of the access and refresh tokens
 */
@@ -163,6 +165,10 @@ static int pakfire_client_auth_refresh(struct pakfire_client* self) {
 	if (!*self->auth.refresh_token)
 		return -ENOTSUP;
 
+	// Require authentication if the refresh token has completely expired
+	if (pakfire_jwt_has_expired(self->auth.refresh_token))
+		return pakfire_client_auth_required(self);
+
 	// Log action
 	DEBUG(self->ctx, "Refreshing authentication tokens...\n");
 
-- 
2.47.2