frsyuki/doorkeeper-solve-distributed-race-condition

## doorkeeper-solve-distributed-race-condition
Example:
* (00:01:01): Initial state: client stores access_token=a01 and refresh_token=r01.

  API DB access_tokens table is as following:
  | access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at |
  |          a01 |           r01 |                        |       3605 |   00:00:01 |            |

* (00:02:02): Client refreshes token using refresh_token=r01.
              It gets access_token=a02 and refresh_token=r02.

  API DB access_tokens table becomes as following:
  | access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at |
  |          a01 |           r01 |                        |       3605 |   00:01:01 |   00:02:02 | <- revoked but not expired
  |          a02 |           r02 |                    r01 |       3605 |   00:02:02 |            |

* (00:03:03): Client process 1 refreshes token using refresh_token=r02.
              It gets access_token=a03 and refresh_token=r03.

  API DB access_tokens table becomes as following:
  | access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at |
  |          a01 |           r01 |                        |       3605 |   00:01:01 |   00:02:02 | <- revoked and expired
  |          a02 |           r02 |                    r01 |       3605 |   00:02:02 |   00:03:03 | <- revoked but not expired
  |          a03 |           r03 |                    r02 |       3605 |   00:03:03 |            |

* (00:03:04): Client process 2 refreshes token using refresh_token=r02.
              It gets access_token=a03 and refresh_token=r03 again!!!
              API returns a03 & r03 again because a row with previous_refresh_token=r02 exists (a03 & r03) and
              it's still not expired although revoked_at is set.
              (we need an index (unique index) on previous_refresh_token column).

  API DB access_tokens table doesn't change.
  | access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at |
  |          a01 |           r01 |                        |       3605 |   00:01:01 |   00:02:02 | <- revoked and expired
  |          a02 |           r02 |                    r01 |       3605 |   00:02:02 |   00:03:03 | <- revoked but not expired
  |          a03 |           r03 |                    r02 |       3605 |   00:03:03 |            |

* (00:04:04): Client refreshes token using refresh_token=r03.
              It gets access_token=a04 and refresh_token=r04.

  API DB access_tokens table becomes as following:
  | access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at |
  |          a01 |           r01 |                        |       3605 |   00:01:01 |   00:02:02 | <- revoked and expired
  |          a02 |           r02 |                    r01 |       3605 |   00:02:02 |   00:03:03 | <- revoked and expired
  |          a03 |           r03 |                    r02 |       3605 |   00:03:03 |   00:04:04 | <- revoked but not expired
  |          a04 |           r04 |                    r03 |       3605 |   00:04:04 |            |

* How to revoke a refresh token explicitly? => Delete the row instead of setting revoked_at.

* How to revoke an access token explicitly? => Set revoked_at. "Revoked but not expired" state is applicable only to refresh_token.
	Example:
	* (00:01:01): Initial state: client stores access_token=a01 and refresh_token=r01.

	API DB access_tokens table is as following:
	\| access_token \| refresh_token \| previous_refresh_token \| expires_in \| created_at \| revoked_at \|
	\| a01 \| r01 \| \| 3605 \| 00:00:01 \| \|

	* (00:02:02): Client refreshes token using refresh_token=r01.
	It gets access_token=a02 and refresh_token=r02.

	API DB access_tokens table becomes as following:
	\| access_token \| refresh_token \| previous_refresh_token \| expires_in \| created_at \| revoked_at \|
	\| a01 \| r01 \| \| 3605 \| 00:01:01 \| 00:02:02 \| <- revoked but not expired
	\| a02 \| r02 \| r01 \| 3605 \| 00:02:02 \| \|

	* (00:03:03): Client process 1 refreshes token using refresh_token=r02.
	It gets access_token=a03 and refresh_token=r03.

	API DB access_tokens table becomes as following:
	\| access_token \| refresh_token \| previous_refresh_token \| expires_in \| created_at \| revoked_at \|
	\| a01 \| r01 \| \| 3605 \| 00:01:01 \| 00:02:02 \| <- revoked and expired
	\| a02 \| r02 \| r01 \| 3605 \| 00:02:02 \| 00:03:03 \| <- revoked but not expired
	\| a03 \| r03 \| r02 \| 3605 \| 00:03:03 \| \|

	* (00:03:04): Client process 2 refreshes token using refresh_token=r02.
	It gets access_token=a03 and refresh_token=r03 again!!!
	API returns a03 & r03 again because a row with previous_refresh_token=r02 exists (a03 & r03) and
	it's still not expired although revoked_at is set.
	(we need an index (unique index) on previous_refresh_token column).

	API DB access_tokens table doesn't change.
	\| access_token \| refresh_token \| previous_refresh_token \| expires_in \| created_at \| revoked_at \|
	\| a01 \| r01 \| \| 3605 \| 00:01:01 \| 00:02:02 \| <- revoked and expired
	\| a02 \| r02 \| r01 \| 3605 \| 00:02:02 \| 00:03:03 \| <- revoked but not expired
	\| a03 \| r03 \| r02 \| 3605 \| 00:03:03 \| \|

	* (00:04:04): Client refreshes token using refresh_token=r03.
	It gets access_token=a04 and refresh_token=r04.

	API DB access_tokens table becomes as following:
	\| access_token \| refresh_token \| previous_refresh_token \| expires_in \| created_at \| revoked_at \|
	\| a01 \| r01 \| \| 3605 \| 00:01:01 \| 00:02:02 \| <- revoked and expired
	\| a02 \| r02 \| r01 \| 3605 \| 00:02:02 \| 00:03:03 \| <- revoked and expired
	\| a03 \| r03 \| r02 \| 3605 \| 00:03:03 \| 00:04:04 \| <- revoked but not expired
	\| a04 \| r04 \| r03 \| 3605 \| 00:04:04 \| \|

	* How to revoke a refresh token explicitly? => Delete the row instead of setting revoked_at.

	* How to revoke an access token explicitly? => Set revoked_at. "Revoked but not expired" state is applicable only to refresh_token.