Return error when token owner could not be found

03d1719c · Douglas Barbosa Alexandre · 5d4f78ab · 03d1719c · 03d1719c
Commit 03d1719c authored Nov 06, 2018 by Douglas Barbosa Alexandre
2 changed files
--- a/ee/app/services/oauth2/logout_token_validation_service.rb
+++ b/ee/app/services/oauth2/logout_token_validation_service.rb
@@ -10,13 +10,18 @@ module Oauth2
    end

    def execute
-      return error('Access token not found') unless access_token.present?
+      return error('Access token could not be found') unless access_token.present?

      status = AccessTokenValidationService.new(access_token).validate
      return error(status) unless status == AccessTokenValidationService::VALID

      user = User.find(access_token.resource_owner_id)
-      success(return_to: user_return_to) if user == current_user
+
+      if user && user == current_user
+        success(return_to: user_return_to)
+      else
+        error('User could not be found')
+      end
    end

    private

--- a/ee/spec/services/oauth2/logout_token_validation_service_spec.rb
+++ b/ee/spec/services/oauth2/logout_token_validation_service_spec.rb
@@ -27,7 +27,7 @@ describe Oauth2::LogoutTokenValidationService do
      expect(result[:status]).to eq(:error)
    end

-    it 'returns error when incorrect encoding' do
+    it 'returns error when token has incorrect encoding' do
      allow_any_instance_of(Gitlab::Geo::OauthSession)
        .to receive(:extract_logout_token)
        .and_return("\xD800\xD801\xD802")
@@ -37,6 +37,26 @@ describe Oauth2::LogoutTokenValidationService do
      expect(result[:status]).to eq(:error)
    end

+    it 'returns error when current user is nil' do
+      result = described_class.new(nil, state: logout_state).execute
+
+      expect(result).to eq(status: :error, message: 'User could not be found')
+    end
+
+    it 'returns error when token owner could not be found' do
+      allow(User).to receive(:find).with(user.id).and_return(nil)
+
+      result = described_class.new(user, state: logout_state).execute
+
+      expect(result).to eq(status: :error, message: 'User could not be found')
+    end
+
+    it 'returns error when token does not belong to the current user' do
+      result = described_class.new(create(:user), state: logout_state).execute
+
+      expect(result).to eq(status: :error, message: 'User could not be found')
+    end
+
    context 'when token is valid' do
      it 'returns success' do
        result = described_class.new(user, state: logout_state).execute