From c91cef6a8d39ae1c999f937b3a7e2babe186039a Mon Sep 17 00:00:00 2001
From: Linh Dang <dangduylinh.bk@gmail.com>
Date: Wed, 10 Apr 2019 16:11:31 +0900
Subject: [PATCH] add nil check operator in token checking at token
 introspection

---
 NEWS.md                                     |  1 +
 lib/doorkeeper/oauth/token_introspection.rb |  2 +-
 spec/controllers/tokens_controller_spec.rb  | 29 +++++++++++++++------
 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/NEWS.md b/NEWS.md
index 857f0e09c..651b641eb 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -7,6 +7,7 @@ User-visible changes worth mentioning.
 
 ## master
 
+- [#1243]: Add nil check operator in token checking at token introspection.
 - [#1241] Explaining foreign key options for resource owner in a single place
 - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
 - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
diff --git a/lib/doorkeeper/oauth/token_introspection.rb b/lib/doorkeeper/oauth/token_introspection.rb
index 12b08e44f..90d2ecb6f 100644
--- a/lib/doorkeeper/oauth/token_introspection.rb
+++ b/lib/doorkeeper/oauth/token_introspection.rb
@@ -163,7 +163,7 @@ def valid_token?
 
       # RFC7662 Section 2.1
       def authorized_token_matches_introspected?
-        authorized_token.token == @token.token
+        authorized_token.token == @token&.token
       end
 
       # If token doesn't belong to some client, then it is public.
diff --git a/spec/controllers/tokens_controller_spec.rb b/spec/controllers/tokens_controller_spec.rb
index ac40d0786..a9eb401ab 100644
--- a/spec/controllers/tokens_controller_spec.rb
+++ b/spec/controllers/tokens_controller_spec.rb
@@ -213,14 +213,14 @@
     end
 
     context "authorized using invalid Bearer token" do
-      let(:token_for_introspection) do
+      let(:access_token) do
         FactoryBot.create(:access_token, application: client, revoked_at: 1.day.ago)
       end
 
       it "responds with invalid token error" do
-        request.headers["Authorization"] = "Bearer #{token_for_introspection.token}"
+        request.headers["Authorization"] = "Bearer #{access_token.token}"
 
-        post :introspect, params: { token: access_token.token }
+        post :introspect, params: { token: token_for_introspection.token }
 
         response_status_should_be 401
 
@@ -260,13 +260,26 @@
     end
 
     context "using wrong token value" do
-      it "responds with only active state" do
-        request.headers["Authorization"] = basic_auth_header_for_client(client)
+      context "authorized using client credentials" do
+        it "responds with only active state" do
+          request.headers["Authorization"] = basic_auth_header_for_client(client)
 
-        post :introspect, params: { token: SecureRandom.hex(16) }
+          post :introspect, params: { token: SecureRandom.hex(16) }
 
-        should_have_json "active", false
-        expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+          should_have_json "active", false
+          expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+        end
+      end
+
+      context "authorized using valid Bearer token" do
+        it "responds with only active state" do
+          request.headers["Authorization"] = "Bearer #{access_token.token}"
+
+          post :introspect, params: { token: SecureRandom.hex(16) }
+
+          should_have_json "active", false
+          expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+        end
       end
     end