krombel/oauth2
1
0
Fork 0
forked from remote/oauth2
Code Pull Requests 1 Activity

internal: return error if no access_token present in server response

Browse Source 
This behavior and test was introduced in 0ae3d4edc9.
It is not consistent with the other test introduced in the same commit,
where an incorrectly typed access_token does produce an error.  Since a
*Token with a blank AccessToken is invalid, it is allowing an invalid
token to be returned without error.

Cleans up some tests responding with invalid data.

Change-Id: I777eb7a82ef598dc9042542ae65f8dce6768902e
Reviewed-on: https://go-review.googlesource.com/85659
Reviewed-by: Andrew Bonventre <andybons@golang.org>
This commit is contained in:
Ross Light
2017-12-28 11:07:42 -08:00
parent 542ae755da
commit ee2bad97a9
3 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/token.go
View File

@@ -6,6 +6,7 @@ package internal
import ( import (
"encoding/json" "encoding/json"
"errors"
"fmt" "fmt"
"io" "io"
"io/ioutil" "io/ioutil"
@@ -250,6 +251,9 @@ func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string,
if token.RefreshToken == "" { if token.RefreshToken == "" {
token.RefreshToken = v.Get("refresh_token") token.RefreshToken = v.Get("refresh_token")
} }
if token.AccessToken == "" {
return token, errors.New("oauth2: server response missing access_token")
}
return token, nil return token, nil
} }

6
internal/token_test.go
View File

@@ -33,7 +33,8 @@ func TestRetrieveTokenBustedNoSecret(t *testing.T) {
if got, want := r.FormValue("client_secret"), ""; got != want { if got, want := r.FormValue("client_secret"), ""; got != want {
t.Errorf("client_secret = %q; want empty", got) t.Errorf("client_secret = %q; want empty", got)
} }
io.WriteString(w, "{}") // something non-empty, required to set a Content-Type in Go 1.10 w.Header().Set("Content-Type", "application/json")
io.WriteString(w, `{"access_token": "ACCESS_TOKEN", "token_type": "bearer"}`)
})) }))
defer ts.Close() defer ts.Close()
@@ -85,7 +86,8 @@ func TestRetrieveTokenWithContexts(t *testing.T) {
const clientID = "client-id" const clientID = "client-id"
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
io.WriteString(w, "{}") // something non-empty, required to set a Content-Type in Go 1.10 w.Header().Set("Content-Type", "application/json")
io.WriteString(w, `{"access_token": "ACCESS_TOKEN", "token_type": "bearer"}`)
})) }))
defer ts.Close() defer ts.Close()

11
oauth2_test.go
View File

@@ -278,12 +278,9 @@ func TestExchangeRequest_BadResponse(t *testing.T) {
})) }))
defer ts.Close() defer ts.Close()
conf := newConf(ts.URL) conf := newConf(ts.URL)
tok, err := conf.Exchange(context.Background(), "code") _, err := conf.Exchange(context.Background(), "code")
if err != nil { if err == nil {
t.Fatal(err) t.Error("expected error from missing access_token")
}
if tok.AccessToken != "" {
t.Errorf("Unexpected access token, %#v.", tok.AccessToken)
} }
} }
@@ -296,7 +293,7 @@ func TestExchangeRequest_BadResponseType(t *testing.T) {
conf := newConf(ts.URL) conf := newConf(ts.URL)
_, err := conf.Exchange(context.Background(), "exchange-code") _, err := conf.Exchange(context.Background(), "exchange-code")
if err == nil { if err == nil {
t.Error("expected error from invalid access_token type") t.Error("expected error from non-string access_token")
} }
} }