4 files changed, 89 insertions, 0 deletions

diff --git a/app/oauth.go b/app/oauth.go
index 4bc84272b..e2d389569 100644
--- a/app/oauth.go
+++ b/app/oauth.go
@@ -62,6 +62,8 @@ func DeleteOAuthApp(appId string) *model.AppError {
 		return err
 	}
 
+	InvalidateAllCaches()
+
 	return nil
 }
 
diff --git a/app/oauth_test.go b/app/oauth_test.go
index 9e8fdfc7d..185f5d73f 100644
--- a/app/oauth_test.go
+++ b/app/oauth_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/mattermost/platform/model"
+	"github.com/mattermost/platform/utils"
 )
 
 func TestOAuthRevokeAccessToken(t *testing.T) {
@@ -42,3 +43,54 @@ func TestOAuthRevokeAccessToken(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestOAuthDeleteApp(t *testing.T) {
+	Setup()
+
+	oldSetting := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider
+	defer func() {
+		utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = oldSetting
+	}()
+	utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true
+
+	a1 := &model.OAuthApp{}
+	a1.CreatorId = model.NewId()
+	a1.Name = "TestApp" + model.NewId()
+	a1.CallbackUrls = []string{"https://nowhere.com"}
+	a1.Homepage = "https://nowhere.com"
+
+	var err *model.AppError
+	a1, err = CreateOAuthApp(a1)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	session := &model.Session{}
+	session.CreateAt = model.GetMillis()
+	session.UserId = model.NewId()
+	session.Token = model.NewId()
+	session.Roles = model.ROLE_SYSTEM_USER.Id
+	session.IsOAuth = true
+	session.SetExpireInDays(1)
+
+	session, _ = CreateSession(session)
+
+	accessData := &model.AccessData{}
+	accessData.Token = session.Token
+	accessData.UserId = session.UserId
+	accessData.RedirectUri = "http://example.com"
+	accessData.ClientId = a1.Id
+	accessData.ExpiresAt = session.ExpiresAt
+
+	if result := <-Srv.Store.OAuth().SaveAccessData(accessData); result.Err != nil {
+		t.Fatal(result.Err)
+	}
+
+	if err := DeleteOAuthApp(a1.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := GetSession(session.Token); err == nil {
+		t.Fatal("should not get session from cache or db")
+	}
+}
diff --git a/store/sql_oauth_store.go b/store/sql_oauth_store.go
index 8637055ae..8e23a8cb2 100644
--- a/store/sql_oauth_store.go
+++ b/store/sql_oauth_store.go
@@ -521,6 +521,17 @@ func (as SqlOAuthStore) deleteApp(transaction *gorp.Transaction, clientId string
 		return result
 	}
 
+	return as.deleteOAuthAppSessions(transaction, clientId)
+}
+
+func (as SqlOAuthStore) deleteOAuthAppSessions(transaction *gorp.Transaction, clientId string) StoreResult {
+	result := StoreResult{}
+
+	if _, err := transaction.Exec("DELETE s.* FROM Sessions s INNER JOIN OAuthAccessData o ON o.Token = s.Token WHERE o.ClientId = :Id", map[string]interface{}{"Id": clientId}); err != nil {
+		result.Err = model.NewLocAppError("SqlOAuthStore.DeleteApp", "store.sql_oauth.delete_app.app_error", nil, "id="+clientId+", err="+err.Error())
+		return result
+	}
+
 	return as.deleteOAuthTokens(transaction, clientId)
 }
 
diff --git a/store/sql_oauth_store_test.go b/store/sql_oauth_store_test.go
index 8c707562f..4dc09b830 100644
--- a/store/sql_oauth_store_test.go
+++ b/store/sql_oauth_store_test.go
@@ -414,7 +414,31 @@ func TestOAuthStoreDeleteApp(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	s1 := model.Session{}
+	s1.UserId = model.NewId()
+	s1.Token = model.NewId()
+	s1.IsOAuth = true
+
+	Must(store.Session().Save(&s1))
+
+	ad1 := model.AccessData{}
+	ad1.ClientId = a1.Id
+	ad1.UserId = a1.CreatorId
+	ad1.Token = s1.Token
+	ad1.RefreshToken = model.NewId()
+	ad1.RedirectUri = "http://example.com"
+
+	Must(store.OAuth().SaveAccessData(&ad1))
+
 	if err := (<-store.OAuth().DeleteApp(a1.Id)).Err; err != nil {
 		t.Fatal(err)
 	}
+
+	if err := (<-store.Session().Get(s1.Token)).Err; err == nil {
+		t.Fatal("should error - session should be deleted")
+	}
+
+	if err := (<-store.OAuth().GetAccessData(s1.Token)).Err; err == nil {
+		t.Fatal("should error - access data should be deleted")
+	}
 }