avoid querying unsupported models during introspection and revocation

lib/actions/authorization/check_scope.js

@@ -1,4 +1,4 @@
-const _ = require('lodash');
+const { intersection, pull } = require('lodash');
 const instance = require('../../helpers/weak_cache');
 /*
  * Validates that all requested scopes are supported by the provider, that openid is amongst them
@@ -7,7 +7,7 @@ const instance = require('../../helpers/weak_cache');
  * @throws: invalid_request
  */
 module.exports = provider => async function checkScope(ctx, next) {
-  const scopes = _.intersection(ctx.oidc.params.scope.split(' '), instance(provider).configuration('scopes'));
+  const scopes = intersection(ctx.oidc.params.scope.split(' '), instance(provider).configuration('scopes'));
   const responseType = ctx.oidc.params.response_type;
   const { prompts } = ctx.oidc;
 
@@ -21,7 +21,7 @@ module.exports = provider => async function checkScope(ctx, next) {
 
   if (scopes.includes('offline_access')) {
     if (!responseType.includes('code') || !prompts.includes('consent')) {
-      _.pull(scopes, 'offline_access').join(' ');
+      pull(scopes, 'offline_access').join(' ');
     }
   }
 

lib/actions/introspection.js

@@ -11,23 +11,30 @@ const instance = require('../helpers/weak_cache');
 
 module.exports = function introspectionAction(provider) {
   const Claims = mask(instance(provider).configuration());
+  const { grantTypeHandlers } = instance(provider);
 
   function getAccessToken(token) {
     return provider.AccessToken.find(token, {
       ignoreExpiration: true,
     });
   }
 
-  function getClientCredentials(token) {
-    return provider.ClientCredentials.find(token, {
-      ignoreExpiration: true,
-    });
+  async function getClientCredentials(token) {
+    if (grantTypeHandlers.has('client_credentials')) {
+      return provider.ClientCredentials.find(token, {
+        ignoreExpiration: true,
+      });
+    }
+    return undefined;
   }
 
-  function getRefreshToken(token) {
-    return provider.RefreshToken.find(token, {
-      ignoreExpiration: true,
-    });
+  async function getRefreshToken(token) {
+    if (grantTypeHandlers.has('refresh_token')) {
+      return provider.RefreshToken.find(token, {
+        ignoreExpiration: true,
+      });
+    }
+    return undefined;
   }
 
   function findResult(results) {

lib/actions/revocation.js

@@ -5,18 +5,23 @@ const PARAM_LIST = new Set(['token', 'token_type_hint']);
 
 const { InvalidRequestError } = require('../helpers/errors');
 const presence = require('../helpers/validate_presence');
+const instance = require('../helpers/weak_cache');
 const authAndParams = require('../shared/chains/client_auth');
 
 module.exports = function revocationAction(provider) {
+  const { grantTypeHandlers } = instance(provider);
+
   function getAccessToken(token) {
     return provider.AccessToken.find(token);
   }
 
-  function getClientCredentials(token) {
+  async function getClientCredentials(token) {
+    if (!grantTypeHandlers.has('client_credentials')) return undefined;
     return provider.ClientCredentials.find(token);
   }
 
-  function getRefreshToken(token) {
+  async function getRefreshToken(token) {
+    if (!grantTypeHandlers.has('refresh_token')) return undefined;
     return provider.RefreshToken.find(token);
   }
 

test/introspection/introspection.config.js

@@ -3,7 +3,7 @@ const config = clone(require('../default.config'));
 
 config.subjectTypes = ['public', 'pairwise'];
 config.pairwiseSalt = 'foobar';
-config.features = { introspection: true };
+config.features = { introspection: true, clientCredentials: true };
 
 module.exports = {
   config,

test/revocation/revocation.config.js

@@ -1,7 +1,7 @@
 const { clone } = require('lodash');
 const config = clone(require('../default.config'));
 
-config.features = { revocation: true };
+config.features = { revocation: true, clientCredentials: true };
 
 module.exports = {
   config,