Skip to content

Commit

Permalink
Merge pull request #1243 from linhdangduy/add_nil_check_operator
Browse files Browse the repository at this point in the history
Add nil check operator in token checking at token introspection
  • Loading branch information
nbulaj authored Apr 10, 2019
2 parents 9bb03f8 + c91cef6 commit 07a3e17
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 9 deletions.
1 change: 1 addition & 0 deletions NEWS.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ User-visible changes worth mentioning.

## master

- [#1243]: Add nil check operator in token checking at token introspection.
- [#1241] Explaining foreign key options for resource owner in a single place
- [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
- [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
Expand Down
2 changes: 1 addition & 1 deletion lib/doorkeeper/oauth/token_introspection.rb
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ def valid_token?

# RFC7662 Section 2.1
def authorized_token_matches_introspected?
authorized_token.token == @token.token
authorized_token.token == @token&.token
end

# If token doesn't belong to some client, then it is public.
Expand Down
29 changes: 21 additions & 8 deletions spec/controllers/tokens_controller_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -213,14 +213,14 @@
end

context "authorized using invalid Bearer token" do
let(:token_for_introspection) do
let(:access_token) do
FactoryBot.create(:access_token, application: client, revoked_at: 1.day.ago)
end

it "responds with invalid token error" do
request.headers["Authorization"] = "Bearer #{token_for_introspection.token}"
request.headers["Authorization"] = "Bearer #{access_token.token}"

post :introspect, params: { token: access_token.token }
post :introspect, params: { token: token_for_introspection.token }

response_status_should_be 401

Expand Down Expand Up @@ -260,13 +260,26 @@
end

context "using wrong token value" do
it "responds with only active state" do
request.headers["Authorization"] = basic_auth_header_for_client(client)
context "authorized using client credentials" do
it "responds with only active state" do
request.headers["Authorization"] = basic_auth_header_for_client(client)

post :introspect, params: { token: SecureRandom.hex(16) }
post :introspect, params: { token: SecureRandom.hex(16) }

should_have_json "active", false
expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
should_have_json "active", false
expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
end
end

context "authorized using valid Bearer token" do
it "responds with only active state" do
request.headers["Authorization"] = "Bearer #{access_token.token}"

post :introspect, params: { token: SecureRandom.hex(16) }

should_have_json "active", false
expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
end
end
end

Expand Down

0 comments on commit 07a3e17

Please sign in to comment.