From 61b14a08b3e9f219db4e1e8f9fc9ddf022827242 Mon Sep 17 00:00:00 2001
From: Hugh Nimmo-Smith <hughns@matrix.org>
Date: Fri, 9 Dec 2022 16:19:33 +0000
Subject: [PATCH] Make the introspection endpoint return JSON error responses

---
 crates/handlers/src/oauth2/introspection.rs | 36 ++++++++++++++++-----
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/crates/handlers/src/oauth2/introspection.rs b/crates/handlers/src/oauth2/introspection.rs
index 09b0e61b..6eca827d 100644
--- a/crates/handlers/src/oauth2/introspection.rs
+++ b/crates/handlers/src/oauth2/introspection.rs
@@ -28,7 +28,10 @@ use mas_storage::{
     },
     Clock,
 };
-use oauth2_types::requests::{IntrospectionRequest, IntrospectionResponse};
+use oauth2_types::{
+    errors::{ClientError, ClientErrorCode},
+    requests::{IntrospectionRequest, IntrospectionResponse},
+};
 use sqlx::PgPool;
 use thiserror::Error;
 
@@ -58,18 +61,35 @@ pub enum RouteError {
 impl IntoResponse for RouteError {
     fn into_response(self) -> axum::response::Response {
         match self {
-            Self::Internal(e) => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(),
-            Self::ClientNotFound => (StatusCode::UNAUTHORIZED, "client not found").into_response(),
+            Self::Internal(e) => (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(
+                    ClientError::from(ClientErrorCode::ServerError).with_description(e.to_string()),
+                ),
+            )
+                .into_response(),
+            Self::ClientNotFound => (
+                StatusCode::UNAUTHORIZED,
+                Json(ClientError::from(ClientErrorCode::InvalidClient)),
+            )
+                .into_response(),
+            Self::ClientCredentialsVerification(e) => (
+                StatusCode::UNAUTHORIZED,
+                Json(
+                    ClientError::from(ClientErrorCode::InvalidClient)
+                        .with_description(e.to_string()),
+                ),
+            )
+                .into_response(),
             Self::UnknownToken => Json(INACTIVE).into_response(),
             Self::NotAllowed => (
                 StatusCode::UNAUTHORIZED,
-                "client can't use the introspection endpoint",
+                Json(ClientError::from(ClientErrorCode::AccessDenied)),
             )
                 .into_response(),
-            Self::BadRequest => StatusCode::BAD_REQUEST.into_response(),
-            Self::ClientCredentialsVerification(_c) => (
-                StatusCode::UNAUTHORIZED,
-                "could not verify client credentials",
+            Self::BadRequest => (
+                StatusCode::BAD_REQUEST,
+                Json(ClientError::from(ClientErrorCode::InvalidRequest)),
             )
                 .into_response(),
         }