Fix 500 API errors with invalid access tokens

When the API is called with a revoked or invalid token, the error handler did not properly return a `Rack::Response`, causing Grape to throw an error in the middleware. Instead of a 4xx error code, the client would receive a 500 error. We fix this by recreating the Rack::Response after the `Rack::OAuth2::Server::Abstract::Error#finish` call. The `yield` is intercepted by the superclass, so the API handler never got it. Relates to https://gitlab.com/gitlab-com/gl-infra/production/-/issues/2363

Fix 500 API errors with invalid access tokens
When the API is called with a revoked or invalid token, the error handler did not properly return a `Rack::Response`, causing Grape to throw an error in the middleware. Instead of a 4xx error code, the client would receive a 500 error. We fix this by recreating the Rack::Response after the `Rack::OAuth2::Server::Abstract::Error#finish` call. The `yield` is intercepted by the superclass, so the API handler never got it. Relates to https://gitlab.com/gitlab-com/gl-infra/production/-/issues/2363
866e1518 · Stan Hu · d52619d7 · 866e1518 · 866e1518 · 866e1518
Commit 866e1518 authored Jul 02, 2020 by Stan Hu
3 changed files
--- a/changelogs/unreleased/sh-fix-api-error-handling.yml
+++ b/changelogs/unreleased/sh-fix-api-error-handling.yml
+---
+title: Fix 500 errors with invalid access tokens
+merge_request: 35895
+author:
+type: fixed
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -153,16 +153,14 @@ module API
                { scope: e.scopes })
            end

-          finished_response = nil
-          response.finish do |rack_response|
+          status, headers, body = response.finish
+
          # Grape expects a Rack::Response
          # (https://github.com/ruby-grape/grape/commit/c117bff7d22971675f4b34367d3a98bc31c8fc02),
-            # and we need to retrieve it here:
-            # https://github.com/nov/rack-oauth2/blob/40c9a99fd80486ccb8de0e4869ae384547c0d703/lib/rack/oauth2/server/abstract/error.rb#L28
-            finished_response = rack_response
-          end
-
-          finished_response
+          # so we need to recreate the response again even though
+          # response.finish already does this.
+          # (https://github.com/nov/rack-oauth2/blob/40c9a99fd80486ccb8de0e4869ae384547c0d703/lib/rack/oauth2/server/abstract/error.rb#L26).
+          Rack::Response.new(body, status, headers)
        end
      end
    end

--- a/spec/requests/api/api_spec.rb
+++ b/spec/requests/api/api_spec.rb
@@ -36,6 +36,14 @@ RSpec.describe API::API do
        expect(response).to have_gitlab_http_status(:ok)
      end

+      it 'does not authorize user for revoked token' do
+        revoked = create(:personal_access_token, :revoked, user: user, scopes: [:read_api])
+
+        get api('/groups', personal_access_token: revoked)
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+
      it 'does not authorize user for post request' do
        params = attributes_for_group_api