Not existing tokens should return 200 within introspection (not 403) (#1012)

ZuSe · n2ygk · web-flow · commit e657d7b436e5 · 2022-01-01T12:41:33.000-05:00
* Not existing tokens should return 200 as well Compare with https://datatracker.ietf.org/doc/html/rfc7662 * Finish the PR checklist. Co-authored-by: Alan Crosswell <alan@columbia.edu>
diff --git a/AUTHORS b/AUTHORS
@@ -47,6 +47,7 @@ Michael Howitz
 Paul Dekkers
 Paul Oswald
 Pavel Tvrdík
+Patrick Palacin
 Peter Carnesciali
 Petr Dlouhý
 Rodney Richardson
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,11 +17,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Added
 * #651 Batch expired token deletions in `cleartokens` management command
-
-### Added
-
 * Added pt-BR translations.
 
+### Fixed
+* #1012 Return status for introspecting a nonexistent token from 401 to the correct value of 200 per [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2).
+
 ## [1.6.1] 2021-12-23
 
 ### Changed
diff --git a/oauth2_provider/views/introspect.py b/oauth2_provider/views/introspect.py
@@ -28,7 +28,7 @@ def get_token_response(token_value=None):
                 get_access_token_model().objects.select_related("user", "application").get(token=token_value)
             )
         except ObjectDoesNotExist:
-            return JsonResponse({"active": False}, status=401)
+            return JsonResponse({"active": False}, status=200)
         else:
             if token.is_valid():
                 data = {
@@ -42,7 +42,7 @@ def get_token_response(token_value=None):
                     data["username"] = token.user.get_username()
                 return JsonResponse(data)
             else:
-                return JsonResponse({"active": False})
+                return JsonResponse({"active": False}, status=200)
 
     def get(self, request, *args, **kwargs):
         """
diff --git a/tests/test_introspection_view.py b/tests/test_introspection_view.py
@@ -199,7 +199,7 @@ def test_view_get_notexisting_token(self):
             reverse("oauth2_provider:introspect"), {"token": "kaudawelsch"}, **auth_headers
         )
 
-        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.status_code, 200)
         content = response.json()
         self.assertIsInstance(content, dict)
         self.assertDictEqual(
@@ -269,7 +269,7 @@ def test_view_post_notexisting_token(self):
             reverse("oauth2_provider:introspect"), {"token": "kaudawelsch"}, **auth_headers
         )
 
-        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.status_code, 200)
         content = response.json()
         self.assertIsInstance(content, dict)
         self.assertDictEqual(
