try/except when looking for an access token to avoid 500

discobeta · dopry · commit b327ea901027 · 2023-10-19T16:49:36.000-04:00
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -726,8 +726,10 @@ def get_original_scopes(self, refresh_token, request, *args, **kwargs):
         # validate_refresh_token.
         rt = request.refresh_token_instance
         if not rt.access_token_id:
-            return AccessToken.objects.get(source_refresh_token_id=rt.id).scope
-
+            try:
+                return AccessToken.objects.get(source_refresh_token_id=rt.id).scope
+            except AccessToken.DoesNotExist:
+                return None
         return rt.access_token.scope
 
     def validate_refresh_token(self, refresh_token, client, request, *args, **kwargs):
diff --git a/tests/test_authorization_code.py b/tests/test_authorization_code.py
@@ -851,6 +851,36 @@ def test_refresh_invalidates_old_tokens(self):
         self.assertIsNotNone(refresh_token.revoked)
         self.assertFalse(AccessToken.objects.filter(token=at).exists())
 
+    def test_refresh_twice_with_same_token_returns_401(self):
+        """
+        Ensure that using a refresh token twice returns 401
+        """
+        self.client.login(username="test_user", password="123456")
+        authorization_code = self.get_auth()
+
+        token_request_data = {
+            "grant_type": "authorization_code",
+            "code": authorization_code,
+            "redirect_uri": "http://example.org",
+        }
+        auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
+
+        response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
+        content = json.loads(response.content.decode("utf-8"))
+
+        rt = content["refresh_token"]
+
+        token_request_data = {
+            "grant_type": "refresh_token",
+            "refresh_token": rt,
+            "scope": content["scope"],
+        }
+        response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
+        self.assertEqual(response.status_code, 200)
+
+        response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
+        self.assertEqual(response.status_code, 400)
+
     def test_refresh_no_scopes(self):
         """
         Request an access token using a refresh token without passing any scope
