From 40a6f4b85f83b62e7f3c1e3f52f5fab4a7c4b17d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 6 Feb 2018 16:07:54 +0100
Subject: [PATCH] Update the application/token managers to throw an exception
 when trying to create a duplicate entry

---
 .../Managers/OpenIddictApplicationManager.cs       | 12 +++++++++++-
 .../Managers/OpenIddictTokenManager.cs             | 14 ++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
index e1ce0030..af9ec407 100644
--- a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
@@ -938,11 +938,21 @@ namespace OpenIddict.Core
         /// </returns>
         protected virtual async Task ValidateAsync([NotNull] TApplication application, CancellationToken cancellationToken = default)
         {
-            if (string.IsNullOrEmpty(await Store.GetClientIdAsync(application, cancellationToken)))
+            var identifier = await Store.GetClientIdAsync(application, cancellationToken);
+            if (string.IsNullOrEmpty(identifier))
             {
                 throw new ArgumentException("The client identifier cannot be null or empty.", nameof(application));
             }
 
+            // Ensure the client_id is not already used for a different application.
+            var other = await Store.FindByClientIdAsync(identifier, cancellationToken);
+            if (other != null && !string.Equals(
+                await Store.GetIdAsync(other, cancellationToken),
+                await Store.GetIdAsync(application, cancellationToken), StringComparison.Ordinal))
+            {
+                throw new ArgumentException("An application with the same client identifier already exists.", nameof(application));
+            }
+
             var type = await Store.GetClientTypeAsync(application, cancellationToken);
             if (string.IsNullOrEmpty(type))
             {
diff --git a/src/OpenIddict.Core/Managers/OpenIddictTokenManager.cs b/src/OpenIddict.Core/Managers/OpenIddictTokenManager.cs
index 9db48cbb..7f75f002 100644
--- a/src/OpenIddict.Core/Managers/OpenIddictTokenManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictTokenManager.cs
@@ -833,6 +833,20 @@ namespace OpenIddict.Core
                 throw new ArgumentNullException(nameof(token));
             }
 
+            // If a reference identifier was associated with the token,
+            // ensure it's not already used for a different token.
+            var identifier = await Store.GetReferenceIdAsync(token, cancellationToken);
+            if (!string.IsNullOrEmpty(identifier))
+            {
+                var other = await Store.FindByReferenceIdAsync(identifier, cancellationToken);
+                if (other != null && !string.Equals(
+                    await Store.GetIdAsync(other, cancellationToken),
+                    await Store.GetIdAsync(token, cancellationToken), StringComparison.Ordinal))
+                {
+                    throw new ArgumentException("A token with the same reference identifier already exists.", nameof(token));
+                }
+            }
+
             var type = await Store.GetTokenTypeAsync(token, cancellationToken);
             if (string.IsNullOrEmpty(type))
             {