fix(api): Check token expiration in OAuth userinfo endpoint#108465
Merged
fix(api): Check token expiration in OAuth userinfo endpoint#108465
Conversation
The OAuthUserInfoEndpoint bypasses standard authentication and performs manual token lookup via ApiToken.objects.get(), but never checks is_expired(). This allows expired OAuth tokens to retrieve user information indefinitely. The standard auth path in UserAuthTokenAuthentication properly checks token expiration. Add is_expired() check after token lookup, consistent with the standard authentication pipeline. Co-Authored-By: Claude <[email protected]>
github-actions
bot
added
the
Scope: Backend
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| raise BearerTokenInvalid() | ||
|
|
||
| if token_details.is_expired(): | ||
| raise BearerTokenInvalid() |
Contributor
There was a problem hiding this comment.
Misleading error description for expired tokens
Low Severity
When an expired token is rejected, BearerTokenInvalid returns an error_description of "Access token not found", which is inaccurate — the token was found but is expired. This misleading message could confuse OAuth clients trying to diagnose authentication failures or decide whether to attempt a token refresh. The error code invalid_token is correct per RFC 6750, but the description doesn't match the actual reason for rejection.
JoshFerge
approved these changes
Feb 18, 2026
JonasBa
pushed a commit
that referenced
this pull request
Feb 19, 2026
The `OAuthUserInfoEndpoint` bypasses standard DRF authentication (`authentication_classes = ()`) and performs manual token lookup via `ApiToken.objects.get()`. However, it never calls `token.is_expired()`, meaning expired OAuth tokens can be used to retrieve user information (user ID, name, email, avatar) indefinitely after the 30-day expiration. The standard auth pipeline in `UserAuthTokenAuthentication.authenticate_token()` properly checks `is_expired()` and rejects expired tokens. This fix adds the same check to the manual token lookup path, returning `invalid_token` per RFC 6750 Section 3.1. Co-authored-by: Claude <[email protected]>
1 task
mchen-sentry
pushed a commit
that referenced
this pull request
Feb 24, 2026
The `OAuthUserInfoEndpoint` bypasses standard DRF authentication (`authentication_classes = ()`) and performs manual token lookup via `ApiToken.objects.get()`. However, it never calls `token.is_expired()`, meaning expired OAuth tokens can be used to retrieve user information (user ID, name, email, avatar) indefinitely after the 30-day expiration. The standard auth pipeline in `UserAuthTokenAuthentication.authenticate_token()` properly checks `is_expired()` and rejects expired tokens. This fix adds the same check to the manual token lookup path, returning `invalid_token` per RFC 6750 Section 3.1. Co-authored-by: Claude <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
OAuthUserInfoEndpointbypasses standard DRF authentication (authentication_classes = ()) and performs manual token lookup viaApiToken.objects.get(). However, it never callstoken.is_expired(), meaning expired OAuth tokens can be used to retrieve user information (user ID, name, email, avatar) indefinitely after the 30-day expiration.The standard auth pipeline in
UserAuthTokenAuthentication.authenticate_token()properly checksis_expired()and rejects expired tokens. This fix adds the same check to the manual token lookup path, returninginvalid_tokenper RFC 6750 Section 3.1.