From cac3db95a11723f25f211b9349023676adf3fe29 Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Mon, 3 Jun 2024 16:09:07 -0500 Subject: Raise explicit error messages for more graceful handling. --- .../authentication/oauth2/models/jwtrefreshtoken.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'gn_auth/auth') diff --git a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py index dba1563..31c9147 100644 --- a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py +++ b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py @@ -16,6 +16,7 @@ from pymonad.maybe import Just, Maybe, Nothing from pymonad.tools import monad_from_none_or_value from gn_auth.auth.db import sqlite3 as db +from gn_auth.auth.errors import ForbiddenAccess from gn_auth.auth.authentication.users import User, user_by_id from gn_auth.auth.authentication.oauth2.models.oauth2client import ( @@ -166,10 +167,13 @@ def link_child_token(conn: db.DbConnection, parenttoken: str, childtoken: str): def is_refresh_token_valid(token: JWTRefreshToken, client: OAuth2Client) -> bool: """Check whether a token is valid.""" - return ( - (token.client.client_id == client.client_id) - and - (not token.is_expired()) - and - (not token.revoked) - ) + if not token.client.client_id == client.client_id: + raise ForbiddenAccess("Token does not belong to client.") + + if token.is_expired(): + raise ForbiddenAccess("Token is expired.") + + if token.revoked: + raise ForbiddenAccess("Token has previously been revoked.") + + return True -- cgit v1.2.3