How to properly make one-off queries in CQRS system?

Question

I have a system which gives an access to the set of resources via access tokens. So when clients need to access some particular resource they ask for the token (one resource - one token). I need to make one-off (or at least limited in time) token, to ensure even if tokens are leaked, they will soon become inactive.

What is the proper way to achieve that in CQRS based system? Querying the resource should not change the system state. In other words - we can't invalidate token in query handler. Can we?

Answer 1

These are different concerns. What I would do:

1. An edge check the authorisation (using the token provided) and calls the query handler, together with the query/token info
2. Query returns the result
3. The edge publishes an event "TokenHasBeenUsed"
4. The edge returns the query result
5. Token provider consumes the event and invalidates the token.

You can also build it scheduling, invalidating the token after a while if not used. Plus, you can also have a usage counter or something and it all does not need to be blended to the edge or query handler.