Expired access token not giving unauthorized Error
Opened this issue · 4 comments
In our application we allow client to pass access tokens(optional) for GET requests for analytics and reports. But if client pass very old access token which is expired in request gem does not Unauthorized the request. For which I am doing following change in the code.
lib/grape_oauth2/helpers/access_token_helpers.rb
def current_access_token
@_current_access_token ||= request.env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]
(@_current_access_token.present? && (@_current_access_token.revoked? || @_current_access_token.expired?)) ? (raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized) : @_current_access_token
end
Is this a valid change? or I am missing something?
Hi @hardikg23 . Once again, what is your purpose? You need to pass invalid tokens or what?
Helper access_token_required! already checks access token for validness (token can't be revoked or expired and must match scopes).
Hi, @nbulaj In my case access token is optional in header for GET request so I can not use helper access_token_required!. But in case if access token is present is should be valid not expired one. Access Token in request is just to identify current user for analytics purpose, client may choose to not to pass in header in that case its absolutely fine.
@hardikg23 maybe you need to implement some helper and use it in your endpoints?
#app/some_helpers.rb
module SomeHelpers
extend ::Grape::API::Helpers
def check_access_token!
token = current_access_token
# any logic
if token.nil? || token.expired? || token.revoked?
raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized
end
end
end
# app/endpoints/some.rb
get :endpoint do
check_access_token!
# do something
endcurrent_access_token helper exists only for getting an instance of Access Token, not to check it validness
Any update here?