Return 401 when using invalid tokens in oauth/token/info

Changelog: fixed

Return 401 when using invalid tokens in oauth/token/info
Changelog: fixed
3e0738ce · Manoj M J · d0a9bffc · 3e0738ce · 3e0738ce
Commit 3e0738ce authored Jan 06, 2022 by Manoj M J
Showing with 13 additions and 13 deletions

app/controllers/oauth/token_info_controller.rb app/controllers/oauth/token_info_controller.rb +1 -1

spec/controllers/oauth/token_info_controller_spec.rb spec/controllers/oauth/token_info_controller_spec.rb +12 -12

No files found.
--- a/app/controllers/oauth/token_info_controller.rb
+++ b/app/controllers/oauth/token_info_controller.rb
@@ -13,7 +13,7 @@ class Oauth::TokenInfoController < Doorkeeper::TokenInfoController
        'expires_in_seconds' => token_json[:expires_in]
      ), status: :ok
    else
-      error = Doorkeeper::OAuth::ErrorResponse.new(name: :invalid_request)
+      error = Doorkeeper::OAuth::InvalidTokenResponse.new
      response.headers.merge!(error.headers)
      render json: error.body, status: error.status
    end

--- a/spec/controllers/oauth/token_info_controller_spec.rb
+++ b/spec/controllers/oauth/token_info_controller_spec.rb
@@ -5,11 +5,11 @@ require 'spec_helper'
 RSpec.describe Oauth::TokenInfoController do
  describe '#show' do
    context 'when the user is not authenticated' do
-      it 'responds with a 400' do
+      it 'responds with a 401' do
        get :show
-        expect(response).to have_gitlab_http_status(:bad_request)
+        expect(response).to have_gitlab_http_status(:unauthorized)
-        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_request')
+        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_token')
      end
    end
@@ -36,11 +36,11 @@ RSpec.describe Oauth::TokenInfoController do
    end
    context 'when the doorkeeper_token is not recognised' do
-      it 'responds with a 400' do
+      it 'responds with a 401' do
        get :show, params: { access_token: 'unknown_token' }
-        expect(response).to have_gitlab_http_status(:bad_request)
+        expect(response).to have_gitlab_http_status(:unauthorized)
-        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_request')
+        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_token')
      end
    end
@@ -49,22 +49,22 @@ RSpec.describe Oauth::TokenInfoController do
        create(:oauth_access_token, created_at: 2.days.ago, expires_in: 10.minutes)
      end
-      it 'responds with a 400' do
+      it 'responds with a 401' do
        get :show, params: { access_token: access_token.token }
-        expect(response).to have_gitlab_http_status(:bad_request)
+        expect(response).to have_gitlab_http_status(:unauthorized)
-        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_request')
+        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_token')
      end
    end
    context 'when the token is revoked' do
      let(:access_token) { create(:oauth_access_token, revoked_at: 2.days.ago) }
-      it 'responds with a 400' do
+      it 'responds with a 401' do
        get :show, params: { access_token: access_token.token }
-        expect(response).to have_gitlab_http_status(:bad_request)
+        expect(response).to have_gitlab_http_status(:unauthorized)
-        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_request')
+        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_token')
      end
    end
  end