Add introspect (can hopefully be used for NGINX)

src/controllers/oauth_controller.rs

@@ -316,3 +316,33 @@ pub async fn token(
 		}))
 	}
 }
+
+#[derive(Serialize, Debug)]
+pub struct IntrospectResp {
+	active: bool,
+}
+
+#[derive(FromForm, Debug)]
+pub struct IntrospectFormData {
+	token:           String,
+	token_type_hint: Option<String>,
+}
+
+#[post("/oauth/introspect", data = "<form>")]
+pub async fn introspect(
+	auth: Option<BasicAuthentication>,
+	form: Form<IntrospectFormData>,
+	db: DbConn,
+) -> Result<Json<IntrospectResp>> {
+	let auth = auth
+		.map(|auth| (auth.user, auth.password))
+		.ok_or(ZauthError::from(OAuthError::InvalidRequest))?;
+
+	Client::find_and_authenticate(auth.0.to_string(), &auth.1, &db).await?;
+
+	let IntrospectFormData { token, .. } = form.into_inner();
+	let maybe_session = Session::find_by_key(token, &db).await;
+	Ok(Json(IntrospectResp {
+		active: maybe_session.is_ok(),
+	}))
+}

src/lib.rs

@@ -101,6 +101,7 @@ fn assemble(rocket: Rocket<Build>) -> Rocket<Build> {
 				oauth_controller::grant_get,
 				oauth_controller::grant_post,
 				oauth_controller::token,
+				oauth_controller::introspect,
 				pages_controller::home_page,
 				sessions_controller::create_session,
 				sessions_controller::new_session,

tests/oauth.rs

@@ -170,6 +170,27 @@ async fn normal_flow() {
 
 		assert_eq!(response.status(), Status::SeeOther);
 
+		let credentials =
+			base64::encode(&format!("{}:{}", client_id, client.secret));
+
+		let form_body = format!("token=1234");
+		let req = http_client
+			.post("/oauth/introspect")
+			.header(ContentType::Form)
+			.header(Header::new(
+				"Authorization",
+				format!("Basic {}", credentials),
+			))
+			.body(form_body);
+
+		let response = req.dispatch().await;
+		assert_eq!(response.status(), Status::Ok);
+		let response_body =
+			response.into_string().await.expect("response body");
+		let data: Value =
+			serde_json::from_str(&response_body).expect("response json values");
+		assert_eq!(data["active"], false);
+
 		// 7a. Client requests access code while sending its credentials
 		//     trough HTTP Auth.
 		let token_url = "/oauth/token";
@@ -178,9 +199,6 @@ async fn normal_flow() {
 			authorization_code, redirect_uri
 		);
 
-		let credentials =
-			base64::encode(&format!("{}:{}", client_id, client.secret));
-
 		let req = http_client
 			.post(token_url)
 			.header(ContentType::Form)
@@ -256,6 +274,24 @@ async fn normal_flow() {
 		assert_eq!(data["token_type"], "bearer");
 		let token = data["access_token"].as_str().expect("access token");
 
+		let form_body = format!("token={}", token);
+		let req = http_client
+			.post("/oauth/introspect")
+			.header(ContentType::Form)
+			.header(Header::new(
+				"Authorization",
+				format!("Basic {}", credentials),
+			))
+			.body(form_body);
+
+		let response = req.dispatch().await;
+		assert_eq!(response.status(), Status::Ok);
+		let response_body =
+			response.into_string().await.expect("response body");
+		let data: Value =
+			serde_json::from_str(&response_body).expect("response json values");
+		assert_eq!(data["active"], true);
+
 		let response = http_client
 			.get("/current_user")
 			.header(Accept::JSON)
@@ -276,6 +312,26 @@ async fn normal_flow() {
 
 		assert!(data["id"].is_number());
 		assert_eq!(data["username"], user_username);
+
+		http_client.post("/logout").dispatch().await;
+
+		let form_body = format!("token=1234");
+		let req = http_client
+			.post("/oauth/introspect")
+			.header(ContentType::Form)
+			.header(Header::new(
+				"Authorization",
+				format!("Basic {}", credentials),
+			))
+			.body(form_body);
+
+		let response = req.dispatch().await;
+		assert_eq!(response.status(), Status::Ok);
+		let response_body =
+			response.into_string().await.expect("response body");
+		let data: Value =
+			serde_json::from_str(&response_body).expect("response json values");
+		assert_eq!(data["active"], false);
 	})
 	.await;
 }