Expired access token not giving unauthorized Error

[hardikg23]

In our application we allow client to pass access tokens(optional) for GET requests for analytics and reports. But if client pass very old access token which is expired in request gem does not Unauthorized the request. For which I am doing following change in the code.

lib/grape_oauth2/helpers/access_token_helpers.rb

def current_access_token
    @_current_access_token ||= request.env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]
    (@_current_access_token.present? && (@_current_access_token.revoked? || @_current_access_token.expired?)) ? (raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized) : @_current_access_token  
end

Is this a valid change? or I am missing something?

[nbulaj]

Hi @hardikg23 . Once again, what is your purpose? You need to pass invalid tokens or what?

Helper access_token_required! already checks access token for validness (token can't be revoked or expired and must match scopes).

[hardikg23]

Hi, @nbulaj In my case access token is optional in header for GET request so I can not use helper access_token_required!. But in case if access token is present is should be valid not expired one. Access Token in request is just to identify current user for analytics purpose, client may choose to not to pass in header in that case its absolutely fine.

[nbulaj]

@hardikg23 maybe you need to implement some helper and use it in your endpoints?

#app/some_helpers.rb
module SomeHelpers
   extend ::Grape::API::Helpers

   def check_access_token!
     token = current_access_token

     # any logic
     if token.nil? || token.expired? || token.revoked?
       raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized
     end
  end
end

# app/endpoints/some.rb

get :endpoint do
   check_access_token!

   # do something
end

current_access_token helper exists only for getting an instance of Access Token, not to check it validness

[nbulaj]

Any update here?