Fix Refresh Token revocation when the access token does not exist

ryanpetrello · jleclanche · commit 5b51da740190 · 2018-10-17T12:45:30.000+03:00
Fixes #625
diff --git a/oauth2_provider/models.py b/oauth2_provider/models.py
@@ -377,7 +377,10 @@ def revoke(self):
             if not self:
                 return
 
-            access_token_model.objects.get(id=self.access_token_id).revoke()
+            try:
+                access_token_model.objects.get(id=self.access_token_id).revoke()
+            except access_token_model.DoesNotExist:
+                pass
             self.access_token = None
             self.revoked = timezone.now()
             self.save()
diff --git a/tests/test_token_revocation.py b/tests/test_token_revocation.py
@@ -151,6 +151,31 @@ def test_revoke_refresh_token(self):
         self.assertIsNotNone(refresh_token.revoked)
         self.assertFalse(AccessToken.objects.filter(id=rtok.access_token.id).exists())
 
+    def test_revoke_refresh_token_with_revoked_access_token(self):
+        tok = AccessToken.objects.create(
+            user=self.test_user, token="1234567890",
+            application=self.application,
+            expires=timezone.now() + datetime.timedelta(days=1),
+            scope="read write"
+        )
+        rtok = RefreshToken.objects.create(
+            user=self.test_user, token="999999999",
+            application=self.application, access_token=tok
+        )
+        for token in (tok.token, rtok.token):
+            query_string = urlencode({
+                "client_id": self.application.client_id,
+                "client_secret": self.application.client_secret,
+                "token": token,
+            })
+            url = "{url}?{qs}".format(url=reverse("oauth2_provider:revoke-token"), qs=query_string)
+            response = self.client.post(url)
+            self.assertEqual(response.status_code, 200)
+
+        self.assertFalse(AccessToken.objects.filter(id=tok.id).exists())
+        refresh_token = RefreshToken.objects.filter(id=rtok.id).first()
+        self.assertIsNotNone(refresh_token.revoked)
+
     def test_revoke_token_with_wrong_hint(self):
         """
         From the revocation rfc, `Section 4.1.2`_ :
