1 files changed, 71 insertions, 0 deletions

diff --git a/spec/controllers/oauth/token_info_controller_spec.rb b/spec/controllers/oauth/token_info_controller_spec.rb
new file mode 100644
index 00000000000..35ad0dcf98c
--- /dev/null
+++ b/spec/controllers/oauth/token_info_controller_spec.rb
@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Oauth::TokenInfoController do
+  describe '#show' do
+    context 'when the user is not authenticated' do
+      it 'responds with a 401' do
+        get :show
+
+        expect(response.status).to eq 401
+        expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
+      end
+    end
+
+    context 'when the request is valid' do
+      let(:application) { create(:oauth_application, scopes: 'api') }
+      let(:access_token) do
+        create(:oauth_access_token, expires_in: 5.minutes, application: application)
+      end
+
+      it 'responds with the token info' do
+        get :show, params: { access_token: access_token.token }
+
+        expect(response.status).to eq 200
+        expect(JSON.parse(response.body)).to eq(
+          'scope'              => %w[api],
+          'scopes'             => %w[api],
+          'created_at'         => access_token.created_at.to_i,
+          'expires_in'         => access_token.expires_in,
+          'application'        => { 'uid' => application.uid },
+          'resource_owner_id'  => access_token.resource_owner_id,
+          'expires_in_seconds' => access_token.expires_in
+        )
+      end
+    end
+
+    context 'when the doorkeeper_token is not recognised' do
+      it 'responds with a 401' do
+        get :show, params: { access_token: 'unknown_token' }
+
+        expect(response.status).to eq 401
+        expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
+      end
+    end
+
+    context 'when the token is expired' do
+      let(:access_token) do
+        create(:oauth_access_token, created_at: 2.days.ago, expires_in: 10.minutes)
+      end
+
+      it 'responds with a 401' do
+        get :show, params: { access_token: access_token.token }
+
+        expect(response.status).to eq 401
+        expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
+      end
+    end
+
+    context 'when the token is revoked' do
+      let(:access_token) { create(:oauth_access_token, revoked_at: 2.days.ago) }
+
+      it 'responds with a 401' do
+        get :show, params: { access_token: access_token.token }
+
+        expect(response.status).to eq 401
+        expect(JSON.parse(response.body)).to include('error' => 'invalid_request')
+      end
+    end
+  end
+end