Commit 06dcb17e authored by Josianne Hyson's avatar Josianne Hyson

Add scopes and expires_in_seconds to token info

Prior to upgrading doorkeeper to 5.0.2 these attributes were both in the
token_info response. They have now been renamed to 'scope' and
'expires_in'.

Add these fields back in for now, so that we can get the security
fix with 5.0.2 out - and removed these fields after we can properly
communicate their deprecation.
parent 1d02523d
# frozen_string_literal: true
class Oauth::TokenInfoController < Doorkeeper::TokenInfoController
def show
if doorkeeper_token && doorkeeper_token.accessible?
token_json = doorkeeper_token.as_json
# maintain backwards compatibility
render json: token_json.merge(
'scopes' => token_json[:scope],
'expires_in_seconds' => token_json[:expires_in]
), status: :ok
else
error = Doorkeeper::OAuth::ErrorResponse.new(name: :invalid_request)
response.headers.merge!(error.headers)
render json: error.body, status: error.status
end
end
end
......@@ -24,7 +24,8 @@ Rails.application.routes.draw do
use_doorkeeper do
controllers applications: 'oauth/applications',
authorized_applications: 'oauth/authorized_applications',
authorizations: 'oauth/authorizations'
authorizations: 'oauth/authorizations',
token_info: 'oauth/token_info'
end
# This prefixless path is required because Jira gets confused if we set it up with a path
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Oauth::TokenInfoController do
describe '#show' do
context 'when the user is not authenticated' do
it 'responds with a 401' do
get :show
expect(response.status).to eq 401
expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
end
end
context 'when the request is valid' do
let(:application) { create(:oauth_application, scopes: 'api') }
let(:access_token) do
create(:oauth_access_token, expires_in: 5.minutes, application: application)
end
it 'responds with the token info' do
get :show, params: { access_token: access_token.token }
expect(response.status).to eq 200
expect(JSON.parse(response.body)).to eq(
'scope' => %w[api],
'scopes' => %w[api],
'created_at' => access_token.created_at.to_i,
'expires_in' => access_token.expires_in,
'application' => { 'uid' => application.uid },
'resource_owner_id' => access_token.resource_owner_id,
'expires_in_seconds' => access_token.expires_in
)
end
end
context 'when the doorkeeper_token is not recognised' do
it 'responds with a 401' do
get :show, params: { access_token: 'unknown_token' }
expect(response.status).to eq 401
expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
end
end
context 'when the token is expired' do
let(:access_token) do
create(:oauth_access_token, created_at: 2.days.ago, expires_in: 10.minutes)
end
it 'responds with a 401' do
get :show, params: { access_token: access_token.token }
expect(response.status).to eq 401
expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
end
end
context 'when the token is revoked' do
let(:access_token) { create(:oauth_access_token, revoked_at: 2.days.ago) }
it 'responds with a 401' do
get :show, params: { access_token: access_token.token }
expect(response.status).to eq 401
expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment