fix: token throws an error when client is provided as a string

dopry · dopry · commit da0f147982d2 · 2025-11-03T13:44:46.000-05:00
instead of the client_id, cleaner implementation
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -202,22 +202,32 @@ def _load_application(self, client_id, request):
         If request.client was not set, load application instance for given
         client_id and store it in request.client
         """
-
-        # we want to be sure that request has the client attribute!
-        assert hasattr(request, "client"), '"request" instance has no "client" attribute'
-
-        try:
+        if request.client:
+            """ check for cached client, to save the db hit if this has alredy been loaded """
             if not isinstance(request.client, Application):
-                log.debug("invalid client type, Loading application for client_id %r", client_id)
-                request.client = Application.objects.get(client_id=client_id)
-            # Check that the application can be used (defaults to always True)
-            if not request.client.is_usable(request):
-                log.debug("Failed body authentication: Application %r is disabled" % (client_id))
+                log.debug("request.client is not an Application, something else set request.client erroroneously, resetting request.client.")
+                request.client = None
+            elif request.client.client_id != client_id:
+                log.debug("request.client client_id does not match the given client_id, resetting request.client.")
+                request.client = None
+            elif not request.client.is_usable(request):
+                log.debug("request.client is a valid Application, but is not usable, resetting request.client.")
+                request.client = None
+            else:
+                log.debug("request.client is a valid Application, reusing it.")
+                return request.client
+        try:
+            """ cache wasn't hit, load from db """
+            log.debug("cache not hit, Loading application from database for client_id %r", client_id)
+            client = Application.objects.get(client_id=client_id)
+            if not client.is_usable(request):
+                log.debug("Failed to load application: Application %r is not usable" % (client_id))
                 return None
+            log.debug("Loaded application %r from database", client)
+            request.client = client
             return request.client
         except Application.DoesNotExist:
-            log.debug("Failed body authentication: Application %r does not exist" % (client_id))
-            request.client = None
+            log.debug("Failed to load application: Application %r does not exist" % (client_id))
             return None
 
     def _set_oauth2_error_on_request(self, request, access_token, scopes):
diff --git a/tests/test_oauth2_validators.py b/tests/test_oauth2_validators.py
@@ -210,8 +210,36 @@ def test_client_authentication_required(self):
         self.request.client = ""
         self.assertTrue(self.validator.client_authentication_required(self.request))
 
-    def test_load_application_fails_when_request_has_no_client(self):
-        self.assertRaises(AssertionError, self.validator.authenticate_client_id, "client_id", {})
+    def test_load_application_loads_client_id_when_request_has_no_client(self):
+        self.request.client = None
+        application = self.validator._load_application("client_id", self.request)
+        self.assertEqual(application, self.application)
+
+    def test_load_application_uses_cached_when_request_has_valid_client_matching_client_id(self):
+        self.request.client = self.application
+        application = self.validator._load_application("client_id", self.request)
+        self.assertIs(application, self.application)
+        self.assertIs(self.request.client, self.application)
+
+    def test_load_application_succeeds_when_request_has_invalid_client_valid_client_id(self):
+        self.request.client = 'invalid_client'
+        application = self.validator._load_application("client_id", self.request)
+        self.assertEqual(application, self.application)
+        self.assertEqual(self.request.client, self.application)
+
+    def test_load_application_overwrites_client_on_client_id_mismatch(self):
+        another_application = Application.objects.create(
+            client_id="another_client_id",
+            client_secret=CLEARTEXT_SECRET,
+            user=self.user,
+            client_type=Application.CLIENT_PUBLIC,
+            authorization_grant_type=Application.GRANT_PASSWORD,
+        )
+        self.request.client = another_application
+        application = self.validator._load_application("client_id", self.request)
+        self.assertEqual(application, self.application)
+        self.assertEqual(self.request.client, self.application)
+        another_application.delete()
 
     def test_rotate_refresh_token__is_true(self):
         self.assertTrue(self.validator.rotate_refresh_token(mock.MagicMock()))
