From 08ff34599ee1641e87eb5ec14bae602fd683a9da Mon Sep 17 00:00:00 2001
From: Anderson Luciano <anderson@dsin.com.br>
Date: Tue, 26 Nov 2019 11:55:31 -0300
Subject: [PATCH 1/2] Implemented the check of fetched row, if isn't a array,
 throw exception

---
 src/Repository/Pdo/AccessTokenRepository.php     |  4 ++++
 .../Repository/Pdo/AccessTokenRepositoryTest.php | 16 ++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/src/Repository/Pdo/AccessTokenRepository.php b/src/Repository/Pdo/AccessTokenRepository.php
index cac3249..630839e 100644
--- a/src/Repository/Pdo/AccessTokenRepository.php
+++ b/src/Repository/Pdo/AccessTokenRepository.php
@@ -12,6 +12,7 @@
 
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use Zend\Expressive\Authentication\OAuth2\Entity\AccessTokenEntity;
@@ -114,6 +115,9 @@ public function isAccessTokenRevoked($tokenId)
             return false;
         }
         $row = $sth->fetch();
+        if (!is_array($row)) {
+            throw OAuthServerException::invalidRefreshToken();
+        }
 
         return array_key_exists('revoked', $row) ? (bool) $row['revoked'] : false;
     }
diff --git a/test/Repository/Pdo/AccessTokenRepositoryTest.php b/test/Repository/Pdo/AccessTokenRepositoryTest.php
index 4bb48cc..85b61b9 100644
--- a/test/Repository/Pdo/AccessTokenRepositoryTest.php
+++ b/test/Repository/Pdo/AccessTokenRepositoryTest.php
@@ -15,6 +15,7 @@
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Entities\Traits\AccessTokenTrait;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 use PDOStatement;
 use PHPUnit\Framework\TestCase;
@@ -133,6 +134,21 @@ public function testIsAccessTokenRevokedReturnsTrueWhenRowRevokedFlagIsTrue()
         $this->assertTrue($this->repo->isAccessTokenRevoked('token_id'));
     }
 
+    public function testIsAcessTokenRevokedRaisesExceptionWhenTokenIdDontExists()
+    {
+        $statement = $this->prophesize(PDOStatement::class);
+        $statement->bindParam(':tokenId', 'token_id')->shouldBeCalled();
+        $statement->execute()->willReturn(true)->shouldBeCalled();
+        $statement->fetch()->willReturn(false)->shouldBeCalled();
+
+        $this->pdo
+            ->prepare(Argument::containingString('SELECT revoked FROM oauth_access_tokens'))
+            ->will([$statement, 'reveal']);
+
+        $this->expectException(OAuthServerException::class);
+        $this->repo->isAccessTokenRevoked('token_id');
+    }
+
     public function testRevokeAccessToken()
     {
         $statement = $this->prophesize(PDOStatement::class);

From a8749b59a2c44cc22140ae3b1432159ef5f7b6e6 Mon Sep 17 00:00:00 2001
From: Anderson Luciano <anderson@dsin.com.br>
Date: Tue, 26 Nov 2019 12:17:01 -0300
Subject: [PATCH 2/2] Fix cs-check issue

---
 src/Repository/Pdo/AccessTokenRepository.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Repository/Pdo/AccessTokenRepository.php b/src/Repository/Pdo/AccessTokenRepository.php
index 630839e..03aa739 100644
--- a/src/Repository/Pdo/AccessTokenRepository.php
+++ b/src/Repository/Pdo/AccessTokenRepository.php
@@ -115,7 +115,7 @@ public function isAccessTokenRevoked($tokenId)
             return false;
         }
         $row = $sth->fetch();
-        if (!is_array($row)) {
+        if (! is_array($row)) {
             throw OAuthServerException::invalidRefreshToken();
         }