Return error when token owner could not be found

parent 5d4f78ab
...@@ -10,13 +10,18 @@ module Oauth2 ...@@ -10,13 +10,18 @@ module Oauth2
end end
def execute def execute
return error('Access token not found') unless access_token.present? return error('Access token could not be found') unless access_token.present?
status = AccessTokenValidationService.new(access_token).validate status = AccessTokenValidationService.new(access_token).validate
return error(status) unless status == AccessTokenValidationService::VALID return error(status) unless status == AccessTokenValidationService::VALID
user = User.find(access_token.resource_owner_id) user = User.find(access_token.resource_owner_id)
success(return_to: user_return_to) if user == current_user
if user && user == current_user
success(return_to: user_return_to)
else
error('User could not be found')
end
end end
private private
......
...@@ -27,7 +27,7 @@ describe Oauth2::LogoutTokenValidationService do ...@@ -27,7 +27,7 @@ describe Oauth2::LogoutTokenValidationService do
expect(result[:status]).to eq(:error) expect(result[:status]).to eq(:error)
end end
it 'returns error when incorrect encoding' do it 'returns error when token has incorrect encoding' do
allow_any_instance_of(Gitlab::Geo::OauthSession) allow_any_instance_of(Gitlab::Geo::OauthSession)
.to receive(:extract_logout_token) .to receive(:extract_logout_token)
.and_return("\xD800\xD801\xD802") .and_return("\xD800\xD801\xD802")
...@@ -37,6 +37,26 @@ describe Oauth2::LogoutTokenValidationService do ...@@ -37,6 +37,26 @@ describe Oauth2::LogoutTokenValidationService do
expect(result[:status]).to eq(:error) expect(result[:status]).to eq(:error)
end end
it 'returns error when current user is nil' do
result = described_class.new(nil, state: logout_state).execute
expect(result).to eq(status: :error, message: 'User could not be found')
end
it 'returns error when token owner could not be found' do
allow(User).to receive(:find).with(user.id).and_return(nil)
result = described_class.new(user, state: logout_state).execute
expect(result).to eq(status: :error, message: 'User could not be found')
end
it 'returns error when token does not belong to the current user' do
result = described_class.new(create(:user), state: logout_state).execute
expect(result).to eq(status: :error, message: 'User could not be found')
end
context 'when token is valid' do context 'when token is valid' do
it 'returns success' do it 'returns success' do
result = described_class.new(user, state: logout_state).execute result = described_class.new(user, state: logout_state).execute
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment