From b74014ab4246403fdec09aeccb220b2b7eca21db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Jos=C3=A9=20Mata?= Date: Sat, 9 May 2026 01:39:10 +0200 Subject: [PATCH] Reject revoked OAuth tokens in API auth (#1711) --- app/controllers/api/v1/base_controller.rb | 2 +- test/controllers/api/v1/base_controller_test.rb | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/app/controllers/api/v1/base_controller.rb b/app/controllers/api/v1/base_controller.rb index b2e8bc59c..4db722b52 100644 --- a/app/controllers/api/v1/base_controller.rb +++ b/app/controllers/api/v1/base_controller.rb @@ -62,7 +62,7 @@ class Api::V1::BaseController < ApplicationController # Check token validity and scope (read_write includes read access) has_sufficient_scope = access_token&.scopes&.include?("read") || access_token&.scopes&.include?("read_write") - unless access_token && !access_token.expired? && has_sufficient_scope + unless access_token&.accessible? && has_sufficient_scope render_json({ error: "unauthorized", message: "Access token is invalid, expired, or missing required scope" }, status: :unauthorized) return false end diff --git a/test/controllers/api/v1/base_controller_test.rb b/test/controllers/api/v1/base_controller_test.rb index af9e7066d..a6dec7ab6 100644 --- a/test/controllers/api/v1/base_controller_test.rb +++ b/test/controllers/api/v1/base_controller_test.rb @@ -60,6 +60,23 @@ class Api::V1::BaseControllerTest < ActionDispatch::IntegrationTest assert_equal @user.email, response_body["user"] end + test "should reject revoked access token" do + access_token = Doorkeeper::AccessToken.create!( + application: @oauth_app, + resource_owner_id: @user.id, + scopes: "read" + ) + access_token.revoke + + get "/api/v1/test", params: {}, headers: { + "Authorization" => "Bearer #{access_token.token}" + } + + assert_response :unauthorized + response_body = JSON.parse(response.body) + assert_equal "unauthorized", response_body["error"] + end + test "should reject invalid access token" do get "/api/v1/test", params: {}, headers: { "Authorization" => "Bearer invalid_token"