From 90aff451787fd95fbca0d5d7e167c21af430b301 Mon Sep 17 00:00:00 2001 From: Hsiaoming Yang Date: Thu, 28 Mar 2019 21:48:22 +0900 Subject: [PATCH] Fix #119 non-compliant invalid token response for RFC7009. --- authlib/oauth2/rfc7009/revocation.py | 19 ++++++++++--------- docs/changelog.rst | 1 + .../test_oauth2/test_token_revocation.py | 13 ++----------- 3 files changed, 13 insertions(+), 20 deletions(-) diff --git a/authlib/oauth2/rfc7009/revocation.py b/authlib/oauth2/rfc7009/revocation.py index 76ee7ccb..158000a7 100644 --- a/authlib/oauth2/rfc7009/revocation.py +++ b/authlib/oauth2/rfc7009/revocation.py @@ -1,6 +1,8 @@ from ..rfc6749 import TokenEndpoint from ..rfc6749 import ( - OAuth2Error, InvalidRequestError, UnsupportedTokenTypeError + OAuth2Error, + InvalidRequestError, + UnsupportedTokenTypeError, ) @@ -37,8 +39,6 @@ def validate_endpoint_request(self): raise UnsupportedTokenTypeError() token = self.query_token( params['token'], token_type, self.request.client) - if not token: - raise InvalidRequestError() self.request.credential = token def create_endpoint_response(self): @@ -62,12 +62,13 @@ def create_endpoint_response(self): # the revocation request self.validate_endpoint_request() # the authorization server invalidates the token - self.revoke_token(self.request.credential) - self.server.send_signal( - 'after_revoke_token', - token=self.request.credential, - client=self.request.client, - ) + if self.request.credential: + self.revoke_token(self.request.credential) + self.server.send_signal( + 'after_revoke_token', + token=self.request.credential, + client=self.request.client, + ) status = 200 body = {} headers = [ diff --git a/docs/changelog.rst b/docs/changelog.rst index d6c45793..5264fa0e 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -28,6 +28,7 @@ Small changes and bug fixes in this release: - Fixed error response for invalid/expired refresh token via :gh:`issue#112`. - Fixed error handle for invalid redirect uri via :gh:`issue#113`. - Fixed error response redirect to fragment via :gh:`issue#114`. +- Fixed non-compliant responses from RFC7009 via :gh:`issue#119`. **Deprecate Changes**: find how to solve the deprecate issues via https://git.io/fjvpt diff --git a/tests/flask/test_oauth2/test_token_revocation.py b/tests/flask/test_oauth2/test_token_revocation.py index 81719e20..2b619ff5 100644 --- a/tests/flask/test_oauth2/test_token_revocation.py +++ b/tests/flask/test_oauth2/test_token_revocation.py @@ -76,8 +76,7 @@ def test_invalid_token(self): rv = self.client.post('/oauth/revoke', data={ 'token': 'invalid-token', }, headers=headers) - resp = json.loads(rv.data) - self.assertEqual(resp['error'], 'invalid_request') + self.assertEqual(rv.status_code, 200) rv = self.client.post('/oauth/revoke', data={ 'token': 'a1', @@ -90,8 +89,7 @@ def test_invalid_token(self): 'token': 'a1', 'token_type_hint': 'refresh_token', }, headers=headers) - resp = json.loads(rv.data) - self.assertEqual(resp['error'], 'invalid_request') + self.assertEqual(rv.status_code, 200) def test_revoke_token_with_hint(self): self.prepare_data() @@ -105,13 +103,6 @@ def test_revoke_token_with_hint(self): }, headers=headers) self.assertEqual(rv.status_code, 200) - rv = self.client.post('/oauth/revoke', data={ - 'token': 'a1', - 'token_type_hint': 'access_token', - }, headers=headers) - resp = json.loads(rv.data) - self.assertEqual(resp['error'], 'invalid_request') - def test_revoke_token_without_hint(self): self.prepare_data() self.create_token()