From cac3db95a11723f25f211b9349023676adf3fe29 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 3 Jun 2024 16:09:07 -0500
Subject: Raise explicit error messages for more graceful handling.

---
 .../authentication/oauth2/models/jwtrefreshtoken.py    | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

(limited to 'gn_auth/auth/authentication/oauth2')

diff --git a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
index dba1563..31c9147 100644
--- a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
+++ b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
@@ -16,6 +16,7 @@ from pymonad.maybe import Just, Maybe, Nothing
 from pymonad.tools import monad_from_none_or_value
 
 from gn_auth.auth.db import sqlite3 as db
+from gn_auth.auth.errors import ForbiddenAccess
 from gn_auth.auth.authentication.users import User, user_by_id
 
 from gn_auth.auth.authentication.oauth2.models.oauth2client import (
@@ -166,10 +167,13 @@ def link_child_token(conn: db.DbConnection, parenttoken: str, childtoken: str):
 
 def is_refresh_token_valid(token: JWTRefreshToken, client: OAuth2Client) -> bool:
     """Check whether a token is valid."""
-    return (
-        (token.client.client_id == client.client_id)
-        and
-        (not token.is_expired())
-        and
-        (not token.revoked)
-    )
+    if not token.client.client_id == client.client_id:
+        raise ForbiddenAccess("Token does not belong to client.")
+
+    if token.is_expired():
+        raise ForbiddenAccess("Token is expired.")
+
+    if token.revoked:
+        raise ForbiddenAccess("Token has previously been revoked.")
+
+    return True
-- 
cgit v1.2.3