Fix 500 error for refresh with revoked access token.

fixes jazzband#585 Note that there are no integration tests, so the unit tests don't actually show the 500 error that would have been seen with a call to oauth2_provider/oauth2_backends.py:create_token_response.
robrap · Jul 11, 2018 · fbea0ae · fbea0ae
1 parent 096ed11
commit fbea0ae
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -625,6 +625,14 @@ def validate_refresh_token(self, refresh_token, client, request, *args, **kwargs
         if not rt:
             return False
 
+        try:
+            # ensure access token was not revoked and later calls to get_original_scopes
+            # will not raise AccessToken.DoesNotExist.
+            if not rt.access_token_id:
+                AccessToken.objects.get(source_refresh_token_id=rt.id)
+        except AccessToken.DoesNotExist:
+            return False
+
         request.user = rt.user
         request.refresh_token = rt.token
         # Temporary store RefreshToken instance to be reused by get_original_scopes and save_bearer_token.

diff --git a/tests/test_oauth2_validators.py b/tests/test_oauth2_validators.py
@@ -270,6 +270,43 @@ def test_save_bearer_token__with_no_refresh_token__creates_new_access_token_only
         self.assertEqual(0, RefreshToken.objects.count())
         self.assertEqual(1, AccessToken.objects.count())
 
+    def test_validate_refresh_token__with_valid_access_token__returns_true(self):
+        access_token = AccessToken.objects.create(
+            token="123",
+            user=self.user,
+            expires=timezone.now() + datetime.timedelta(seconds=60),
+            application=self.application
+        )
+        refresh_token = RefreshToken.objects.create(
+            access_token=access_token,
+            token="abc",
+            user=self.user,
+            application=self.application
+        )
+        is_refresh_token_valid = self.validator.validate_refresh_token(
+            refresh_token=refresh_token, client=self.request.client, request=self.request
+        )
+        self.assertTrue(is_refresh_token_valid)
+
+    def test_validate_refresh_token__with_revoked_access_token__returns_false(self):
+        access_token = AccessToken.objects.create(
+            token="123",
+            user=self.user,
+            expires=timezone.now() + datetime.timedelta(seconds=60),
+            application=self.application
+        )
+        refresh_token = RefreshToken.objects.create(
+            access_token=access_token,
+            token="abc",
+            user=self.user,
+            application=self.application
+        )
+        self.validator.revoke_token(token=access_token, token_type_hint="access_token", request=self.request)
+        is_refresh_token_valid = self.validator.validate_refresh_token(
+            refresh_token=refresh_token, client=self.request.client, request=self.request
+        )
+        self.assertFalse(is_refresh_token_valid)
+
 
 class TestOAuth2ValidatorProvidesErrorData(TransactionTestCase):
     """These test cases check that the recommended error codes are returned