Add scopes and expires_in_seconds to token info

Prior to upgrading doorkeeper to 5.0.2 these attributes were both in the
token_info response. They have now been renamed to 'scope' and
'expires_in'.

Add these fields back in for now, so that we can get the security
fix with 5.0.2 out - and removed these fields after we can properly
communicate their deprecation.

app/controllers/oauth/token_info_controller.rb

+# frozen_string_literal: true
+
+class Oauth::TokenInfoController < Doorkeeper::TokenInfoController
+  def show
+    if doorkeeper_token && doorkeeper_token.accessible?
+      token_json = doorkeeper_token.as_json
+
+      # maintain backwards compatibility
+      render json: token_json.merge(
+        'scopes'             => token_json[:scope],
+        'expires_in_seconds' => token_json[:expires_in]
+      ), status: :ok
+    else
+      error = Doorkeeper::OAuth::ErrorResponse.new(name: :invalid_request)
+      response.headers.merge!(error.headers)
+      render json: error.body, status: error.status
+    end
+  end
+end

config/routes.rb

@@ -24,7 +24,8 @@ Rails.application.routes.draw do
   use_doorkeeper do
     controllers applications: 'oauth/applications',
                 authorized_applications: 'oauth/authorized_applications',
-                authorizations: 'oauth/authorizations'
+                authorizations: 'oauth/authorizations',
+                token_info: 'oauth/token_info'
   end
 
   # This prefixless path is required because Jira gets confused if we set it up with a path

spec/controllers/oauth/token_info_controller_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Oauth::TokenInfoController do
+  describe '#show' do
+    context 'when the user is not authenticated' do
+      it 'responds with a 401' do
+        get :show
+
+        expect(response.status).to eq 401
+        expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
+      end
+    end
+
+    context 'when the request is valid' do
+      let(:application) { create(:oauth_application, scopes: 'api') }
+      let(:access_token) do
+        create(:oauth_access_token, expires_in: 5.minutes, application: application)
+      end
+
+      it 'responds with the token info' do
+        get :show, params: { access_token: access_token.token }
+
+        expect(response.status).to eq 200
+        expect(JSON.parse(response.body)).to eq(
+          'scope'              => %w[api],
+          'scopes'             => %w[api],
+          'created_at'         => access_token.created_at.to_i,
+          'expires_in'         => access_token.expires_in,
+          'application'        => { 'uid' => application.uid },
+          'resource_owner_id'  => access_token.resource_owner_id,
+          'expires_in_seconds' => access_token.expires_in
+        )
+      end
+    end
+
+    context 'when the doorkeeper_token is not recognised' do
+      it 'responds with a 401' do
+        get :show, params: { access_token: 'unknown_token' }
+
+        expect(response.status).to eq 401
+        expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
+      end
+    end
+
+    context 'when the token is expired' do
+      let(:access_token) do
+        create(:oauth_access_token, created_at: 2.days.ago, expires_in: 10.minutes)
+      end
+
+      it 'responds with a 401' do
+        get :show, params: { access_token: access_token.token }
+
+        expect(response.status).to eq 401
+        expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
+      end
+    end
+
+    context 'when the token is revoked' do
+      let(:access_token) { create(:oauth_access_token, revoked_at: 2.days.ago) }
+
+      it 'responds with a 401' do
+        get :show, params: { access_token: access_token.token }
+
+        expect(response.status).to eq 401
+        expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
+      end
+    end
+  end
+end