From 14d481fcae092c71bfc0eb498ae649ecfa57893e Mon Sep 17 00:00:00 2001
From: Rein Krul <info@reinkrul.nl>
Date: Thu, 29 Feb 2024 13:04:35 +0100
Subject: [PATCH] IAM: Handle ErrNotFound for unknown tokens when introspecting

---
 auth/api/iam/api.go      | 8 ++++++--
 auth/api/iam/api_test.go | 9 ++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go
index 6f92e01f7f..a903efb43d 100644
--- a/auth/api/iam/api.go
+++ b/auth/api/iam/api.go
@@ -226,8 +226,12 @@ func (r Wrapper) IntrospectAccessToken(_ context.Context, request IntrospectAcce
 	token := AccessToken{}
 	if err := r.accessTokenServerStore().Get(request.Body.Token, &token); err != nil {
 		// Return 200 + 'Active = false' when token is invalid or malformed
-		log.Logger().Debug("IntrospectAccessToken: failed to get token from store")
-		return IntrospectAccessToken200JSONResponse{}, err
+		if errors.Is(err, storage.ErrNotFound) {
+			log.Logger().Debug("IntrospectAccessToken: token not found (unknown or expired)")
+			return IntrospectAccessToken200JSONResponse{}, nil
+		}
+		log.Logger().WithError(err).Error("IntrospectAccessToken: failed to retrieve token")
+		return nil, err
 	}
 
 	if token.Expiration.Before(time.Now()) {
diff --git a/auth/api/iam/api_test.go b/auth/api/iam/api_test.go
index d3dfdca41b..f828ffeeec 100644
--- a/auth/api/iam/api_test.go
+++ b/auth/api/iam/api_test.go
@@ -564,9 +564,16 @@ func TestWrapper_IntrospectAccessToken(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, res, IntrospectAccessToken200JSONResponse{})
 	})
+	t.Run("error - other store error", func(t *testing.T) {
+		// token is invalid JSON
+		require.NoError(t, ctx.client.accessTokenServerStore().Put("err", "{"))
+		res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: "err"}})
+		assert.ErrorContains(t, err, "json: cannot unmarshal")
+		assert.Nil(t, res)
+	})
 	t.Run("error - does not exist", func(t *testing.T) {
 		res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: "does not exist"}})
-		require.ErrorIs(t, err, storage.ErrNotFound)
+		require.NoError(t, err)
 		assert.Equal(t, res, IntrospectAccessToken200JSONResponse{})
 	})
 	t.Run("error - expired token", func(t *testing.T) {