CaseClauseError when passing RefreshToken.grant a revoked token - v0.2.0

[dodgerogers]

The RefreshToken strategy checks if a revoked token has been passed in, (line 78), however it seems to cause a CaseClauseError in the issue_access_token_by_refresh_token function (line 62). We do not have a test case for revoked tokens in refresh_token_test.exs, so is this a valid test case? Or are we relying on the plugs to guard against revoked tokens making their way into the app?

Application Code

defmodule MyApp.Accounts.RefreshToken do
  alias MyApp.Accounts.Services.Applications
  alias ExOauth2Provider.Token
  alias ExOauth2Provider.OauthAccessTokens.OauthAccessToken

  def call(%OauthAccessToken{} = token) do
    with {:ok, app} <- Applications.default_application(),
         {:ok, access_token} <- refresh_access_token(app, token)
    do
      {:ok, access_token}
    else
      {:error, error, _status} -> {:error, error}
      _ -> {:error, "Something went wrong"}
    end
  end
  def call(_), do: {:error, "Invalid arguments"}

  defp refresh_access_token(app, token) do
    %{
      "grant_type" => "refresh_token",
      "client_id" => app.uid,
      "client_secret" => app.secret,
      "refresh_token" => token.refresh_token
    } |> Token.grant()
  end
end

Config.exs

config :ex_oauth2_provider, ExOauth2Provider,
  repo: MyApp.Repo,
  resource_owner: MyApp.Accounts.Schemas.User,
  application_owner: MyApp.Accounts.Schemas.OauthApplicationUser,
  use_refresh_token: true,
  revoke_refresh_token_on_use: true,
  grant_flows: ~w(password refresh_token),
  access_token_expires_in: 900,
  password_auth: {MyApp.Accounts.Authenticate, :validate_user_credentials}

Test Case

test "with revoked token returns error tuple" do
  user = insert(:user)
  oauth_application = create_default_oauth_application()
  revoked_attrs = %{
    revoked_at: NaiveDateTime.utc_now(),
    resource_owner: user,
    application: oauth_application
  }
  revoked_token = insert(:oauth_access_token, revoked_attrs)

  {:error, message} = RefreshToken.call(revoked_token)
end

Stack trace

(CaseClauseError) no case clause matching: {:ok, {:error, {:error, %{error: :invalid_request, error_description: "The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed."}, :bad_request}}}`

 code: {:error, message} = RefreshToken.call(revoked_token)`

 stacktrace:
       (ex_oauth2_provider) lib/ex_oauth2_provider/oauth2/token/strategy/refresh_token.ex:62: ExOauth2Provider.Token.RefreshToken.issue_access_token_by_refresh_token/1
       (ex_oauth2_provider) lib/ex_oauth2_provider/oauth2/token/strategy/refresh_token.ex:31: ExOauth2Provider.Token.RefreshToken.grant/1
       (myapp) lib/myapp/accounts/refresh_token.ex:8: MyApp.Accounts.RefreshToken.call/1
       test/lib/myapp/accounts/refresh_token_test.exs:33: (test)

[danschultzer]

Yeah, there's some code there that doesn't make sense. Could you try use #19 and see if it works for you? I see a lot of room to refactor this and make the flow clearer. When you confirm that this resolves the issue I'll redo the code and release v0.2.2

[dodgerogers]

#19 works great, appreciate you looking at it so quickly!

[danschultzer]

I've released v0.2.2. Thanks.