Skip to content

Commit

Permalink
IAM: Handle ErrNotFound for unknown tokens when introspecting (#2847)
Browse files Browse the repository at this point in the history
  • Loading branch information
@reinkrul
reinkrul authored Mar 5, 2024
1 parent 2004122 commit 42ebee7
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 3 deletions.
8 changes: 6 additions & 2 deletions auth/api/iam/api.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -226,8 +226,12 @@ func (r Wrapper) IntrospectAccessToken(_ context.Context, request IntrospectAcce
token := AccessToken{}
if err := r.accessTokenServerStore().Get(request.Body.Token, &token); err != nil {
// Return 200 + 'Active = false' when token is invalid or malformed
log.Logger().Debug("IntrospectAccessToken: failed to get token from store")
return IntrospectAccessToken200JSONResponse{}, err
if errors.Is(err, storage.ErrNotFound) {
log.Logger().Debug("IntrospectAccessToken: token not found (unknown or expired)")
return IntrospectAccessToken200JSONResponse{}, nil
}
log.Logger().WithError(err).Error("IntrospectAccessToken: failed to retrieve token")
return nil, err
}

if token.Expiration.Before(time.Now()) {
Expand Down
9 changes: 8 additions & 1 deletion auth/api/iam/api_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -564,9 +564,16 @@ func TestWrapper_IntrospectAccessToken(t *testing.T) {
require.NoError(t, err)
assert.Equal(t, res, IntrospectAccessToken200JSONResponse{})
})
t.Run("error - other store error", func(t *testing.T) {
// token is invalid JSON
require.NoError(t, ctx.client.accessTokenServerStore().Put("err", "{"))
res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: "err"}})
assert.ErrorContains(t, err, "json: cannot unmarshal")
assert.Nil(t, res)
})
t.Run("error - does not exist", func(t *testing.T) {
res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: "does not exist"}})
require.ErrorIs(t, err, storage.ErrNotFound)
require.NoError(t, err)
assert.Equal(t, res, IntrospectAccessToken200JSONResponse{})
})
t.Run("error - expired token", func(t *testing.T) {
Expand Down

0 comments on commit 42ebee7

Please sign in to comment.