doorkeeper-gem · nbulaj · Apr 10, 2019 · Apr 10, 2019
diff --git a/NEWS.md b/NEWS.md
@@ -7,6 +7,7 @@ User-visible changes worth mentioning.
 
 ## master
 
+- [#1243]: Add nil check operator in token checking at token introspection.
 - [#1241] Explaining foreign key options for resource owner in a single place
 - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
 - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.

diff --git a/lib/doorkeeper/oauth/token_introspection.rb b/lib/doorkeeper/oauth/token_introspection.rb
@@ -163,7 +163,7 @@ def valid_token?
 
       # RFC7662 Section 2.1
       def authorized_token_matches_introspected?
-        authorized_token.token == @token.token
+        authorized_token.token == @token&.token
       end
 
       # If token doesn't belong to some client, then it is public.

diff --git a/spec/controllers/tokens_controller_spec.rb b/spec/controllers/tokens_controller_spec.rb
@@ -213,14 +213,14 @@
     end
 
     context "authorized using invalid Bearer token" do
-      let(:token_for_introspection) do
+      let(:access_token) do
         FactoryBot.create(:access_token, application: client, revoked_at: 1.day.ago)
       end
 
       it "responds with invalid token error" do
-        request.headers["Authorization"] = "Bearer #{token_for_introspection.token}"
+        request.headers["Authorization"] = "Bearer #{access_token.token}"
 
-        post :introspect, params: { token: access_token.token }
+        post :introspect, params: { token: token_for_introspection.token }
 
         response_status_should_be 401
 
@@ -260,13 +260,26 @@
     end
 
     context "using wrong token value" do
-      it "responds with only active state" do
-        request.headers["Authorization"] = basic_auth_header_for_client(client)
+      context "authorized using client credentials" do
+        it "responds with only active state" do
+          request.headers["Authorization"] = basic_auth_header_for_client(client)
 
-        post :introspect, params: { token: SecureRandom.hex(16) }
+          post :introspect, params: { token: SecureRandom.hex(16) }
 
-        should_have_json "active", false
-        expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+          should_have_json "active", false
+          expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+        end
+      end
+
+      context "authorized using valid Bearer token" do
+        it "responds with only active state" do
+          request.headers["Authorization"] = "Bearer #{access_token.token}"
+
+          post :introspect, params: { token: SecureRandom.hex(16) }
+
+          should_have_json "active", false
+          expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+        end
       end
     end