Google Git
Sign in
go / oauth2 / ee2bad97a97122079f2a3d0dce09330f085b36a0^! / .
commitee2bad97a97122079f2a3d0dce09330f085b36a0[log] [tgz]
authorRoss Light <light@google.com>Thu Dec 28 11:07:42 2017 -0800
committerRoss Light <light@google.com>Wed Jan 03 00:38:26 2018 +0000
tree98e7bee076ff89d7c1963d4054ee0d598cdcb31c
parent542ae755daf1f51eab2b19a5a4bd42e12bddeb25 [diff]
internal: return error if no access_token present in server response

This behavior and test was introduced in 0ae3d4edc99f765dc1513a9605aa96e82877a20a.
It is not consistent with the other test introduced in the same commit,
where an incorrectly typed access_token does produce an error.  Since a
*Token with a blank AccessToken is invalid, it is allowing an invalid
token to be returned without error.

Cleans up some tests responding with invalid data.

Change-Id: I777eb7a82ef598dc9042542ae65f8dce6768902e
Reviewed-on: https://go-review.googlesource.com/85659
Reviewed-by: Andrew Bonventre <andybons@golang.org>

diff --git a/internal/token.go b/internal/token.go
index 8a10204..558ce95 100644
--- a/internal/token.go
+++ b/internal/token.go

@@ -6,6 +6,7 @@
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -250,6 +251,9 @@
 	if token.RefreshToken == "" {
 		token.RefreshToken = v.Get("refresh_token")
 	}
+	if token.AccessToken == "" {
+		return token, errors.New("oauth2: server response missing access_token")
+	}
 	return token, nil
 }
 

diff --git a/internal/token_test.go b/internal/token_test.go
index 9118d82..7b52e51 100644
--- a/internal/token_test.go
+++ b/internal/token_test.go

@@ -33,7 +33,8 @@
 		if got, want := r.FormValue("client_secret"), ""; got != want {
 			t.Errorf("client_secret = %q; want empty", got)
 		}
-		io.WriteString(w, "{}") // something non-empty, required to set a Content-Type in Go 1.10
+		w.Header().Set("Content-Type", "application/json")
+		io.WriteString(w, `{"access_token": "ACCESS_TOKEN", "token_type": "bearer"}`)
 	}))
 	defer ts.Close()
 
@@ -85,7 +86,8 @@
 	const clientID = "client-id"
 
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		io.WriteString(w, "{}") // something non-empty, required to set a Content-Type in Go 1.10
+		w.Header().Set("Content-Type", "application/json")
+		io.WriteString(w, `{"access_token": "ACCESS_TOKEN", "token_type": "bearer"}`)
 	}))
 	defer ts.Close()
 

diff --git a/oauth2_test.go b/oauth2_test.go
index 4937901..847160f 100644
--- a/oauth2_test.go
+++ b/oauth2_test.go

@@ -278,12 +278,9 @@
 	}))
 	defer ts.Close()
 	conf := newConf(ts.URL)
-	tok, err := conf.Exchange(context.Background(), "code")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if tok.AccessToken != "" {
-		t.Errorf("Unexpected access token, %#v.", tok.AccessToken)
+	_, err := conf.Exchange(context.Background(), "code")
+	if err == nil {
+		t.Error("expected error from missing access_token")
 	}
 }
 
@@ -296,7 +293,7 @@
 	conf := newConf(ts.URL)
 	_, err := conf.Exchange(context.Background(), "exchange-code")
 	if err == nil {
-		t.Error("expected error from invalid access_token type")
+		t.Error("expected error from non-string access_token")
 	}
 }