refactor: extract shared token finder for introspection and revocation

panva · panva · commit 666c2b09a394 · 2026-02-07T16:11:08.000+01:00
diff --git a/lib/actions/introspection.js b/lib/actions/introspection.js
@@ -8,6 +8,7 @@ import paramsMiddleware from '../shared/assemble_params.js';
 import { InvalidRequest } from '../helpers/errors.js';
 import rejectStructuredTokens from '../shared/reject_structured_tokens.js';
 import { checkAttestBinding } from '../helpers/check_attest_binding.js';
+import { createTokenFinder } from '../helpers/token_find.js';
 
 const introspectable = new Set(['AccessToken', 'ClientCredentials', 'RefreshToken']);
 const JWT = 'application/token-introspection+jwt';
@@ -26,30 +27,10 @@ export default function introspectionAction(provider) {
   } = configuration;
   const { grantTypeHandlers } = instance(provider);
   const {
-    IdToken, AccessToken, ClientCredentials, RefreshToken, Client,
+    IdToken, Client,
   } = provider;
 
-  function getAccessToken(token) {
-    return AccessToken.find(token);
-  }
-
-  function getClientCredentials(token) {
-    if (!grantTypeHandlers.has('client_credentials')) {
-      return undefined;
-    }
-    return ClientCredentials.find(token);
-  }
-
-  function getRefreshToken(token) {
-    if (!grantTypeHandlers.has('refresh_token')) {
-      return undefined;
-    }
-    return RefreshToken.find(token);
-  }
-
-  function findResult(results) {
-    return results.find((found) => !!found);
-  }
+  const findToken = createTokenFinder(provider, grantTypeHandlers);
 
   return [
     noCache,
@@ -101,32 +82,7 @@ export default function introspectionAction(provider) {
 
       ctx.body = { active: false };
 
-      let token;
-      switch (params.token_type_hint) {
-        case 'access_token':
-        case 'urn:ietf:params:oauth:token-type:access_token':
-          token = await Promise.all([
-            getAccessToken(params.token),
-            getClientCredentials(params.token),
-          ])
-            .then(findResult)
-            .then((result) => result || getRefreshToken(params.token));
-          break;
-        case 'refresh_token':
-        case 'urn:ietf:params:oauth:token-type:refresh_token':
-          token = await getRefreshToken(params.token)
-            .then((result) => result || Promise.all([
-              getAccessToken(params.token),
-              getClientCredentials(params.token),
-            ]).then(findResult));
-          break;
-        default:
-          token = await Promise.all([
-            getAccessToken(params.token),
-            getClientCredentials(params.token),
-            getRefreshToken(params.token),
-          ]).then(findResult);
-      }
+      const token = await findToken(params.token, params.token_type_hint);
 
       if (!token?.isValid) {
         return;
diff --git a/lib/actions/revocation.js b/lib/actions/revocation.js
@@ -7,6 +7,7 @@ import paramsMiddleware from '../shared/assemble_params.js';
 import rejectStructuredTokens from '../shared/reject_structured_tokens.js';
 import revoke from '../helpers/revoke.js';
 import { checkAttestBinding } from '../helpers/check_attest_binding.js';
+import { createTokenFinder } from '../helpers/token_find.js';
 
 const revokeable = new Set(['AccessToken', 'ClientCredentials', 'RefreshToken']);
 
@@ -20,27 +21,7 @@ export default function revocationAction(provider) {
     },
   } = configuration;
 
-  function getAccessToken(token) {
-    return provider.AccessToken.find(token);
-  }
-
-  function getClientCredentials(token) {
-    if (!grantTypeHandlers.has('client_credentials')) {
-      return undefined;
-    }
-    return provider.ClientCredentials.find(token);
-  }
-
-  function getRefreshToken(token) {
-    if (!grantTypeHandlers.has('refresh_token')) {
-      return undefined;
-    }
-    return provider.RefreshToken.find(token);
-  }
-
-  function findResult(results) {
-    return results.find((found) => !!found);
-  }
+  const findToken = createTokenFinder(provider, grantTypeHandlers);
 
   return [
     parseBody,
@@ -64,32 +45,7 @@ export default function revocationAction(provider) {
     async function revokeToken(ctx) {
       const { params } = ctx.oidc;
 
-      let token;
-      switch (params.token_type_hint) {
-        case 'access_token':
-        case 'urn:ietf:params:oauth:token-type:access_token':
-          token = await Promise.all([
-            getAccessToken(params.token),
-            getClientCredentials(params.token),
-          ])
-            .then(findResult)
-            .then((result) => result || getRefreshToken(params.token));
-          break;
-        case 'refresh_token':
-        case 'urn:ietf:params:oauth:token-type:refresh_token':
-          token = await getRefreshToken(params.token)
-            .then((result) => result || Promise.all([
-              getAccessToken(params.token),
-              getClientCredentials(params.token),
-            ]).then(findResult));
-          break;
-        default:
-          token = await Promise.all([
-            getAccessToken(params.token),
-            getClientCredentials(params.token),
-            getRefreshToken(params.token),
-          ]).then(findResult);
-      }
+      const token = await findToken(params.token, params.token_type_hint);
 
       if (!token) return;
 
diff --git a/lib/helpers/token_find.js b/lib/helpers/token_find.js
@@ -0,0 +1,51 @@
+export function createTokenFinder(provider, grantTypeHandlers) {
+  const { AccessToken, ClientCredentials, RefreshToken } = provider;
+
+  function getAccessToken(token) {
+    return AccessToken.find(token);
+  }
+
+  function getClientCredentials(token) {
+    if (!grantTypeHandlers.has('client_credentials')) {
+      return undefined;
+    }
+    return ClientCredentials.find(token);
+  }
+
+  function getRefreshToken(token) {
+    if (!grantTypeHandlers.has('refresh_token')) {
+      return undefined;
+    }
+    return RefreshToken.find(token);
+  }
+
+  function findResult(results) {
+    return results.find((found) => !!found);
+  }
+
+  return async function findTokenByHint(tokenValue, tokenTypeHint) {
+    switch (tokenTypeHint) {
+      case 'access_token':
+      case 'urn:ietf:params:oauth:token-type:access_token':
+        return Promise.all([
+          getAccessToken(tokenValue),
+          getClientCredentials(tokenValue),
+        ])
+          .then(findResult)
+          .then((result) => result || getRefreshToken(tokenValue));
+      case 'refresh_token':
+      case 'urn:ietf:params:oauth:token-type:refresh_token':
+        return getRefreshToken(tokenValue)
+          .then((result) => result || Promise.all([
+            getAccessToken(tokenValue),
+            getClientCredentials(tokenValue),
+          ]).then(findResult));
+      default:
+        return Promise.all([
+          getAccessToken(tokenValue),
+          getClientCredentials(tokenValue),
+          getRefreshToken(tokenValue),
+        ]).then(findResult);
+    }
+  };
+}
