From 602d71e43bf4d5fce25246614382643d0d7b956a Mon Sep 17 00:00:00 2001
From: Gerard Snaauw <33763579+gerardsn@users.noreply.github.com>
Date: Fri, 24 May 2024 10:52:21 +0200
Subject: [PATCH] return 404 for missing token sessionID (#3137)

---
 auth/api/iam/api.go      | 3 +++
 auth/api/iam/api_test.go | 5 ++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go
index a75e205531..59c1e6ffa9 100644
--- a/auth/api/iam/api.go
+++ b/auth/api/iam/api.go
@@ -231,6 +231,9 @@ func (r Wrapper) RetrieveAccessToken(_ context.Context, request RetrieveAccessTo
 	var token TokenResponse
 	err := r.accessTokenClientStore().Get(request.SessionID, &token)
 	if err != nil {
+		if errors.Is(err, storage.ErrNotFound) {
+			return nil, core.NotFoundError("session not found")
+		}
 		return nil, err
 	}
 	if token.Get("status") == oauth.AccessTokenRequestStatusPending {
diff --git a/auth/api/iam/api_test.go b/auth/api/iam/api_test.go
index 2e23c67075..b27975556c 100644
--- a/auth/api/iam/api_test.go
+++ b/auth/api/iam/api_test.go
@@ -565,12 +565,11 @@ func TestWrapper_RetrieveAccessToken(t *testing.T) {
 		assert.IsType(t, RetrieveAccessToken200JSONResponse{}, res)
 		assert.ErrorIs(t, ctx.client.accessTokenClientStore().Get("id", new(TokenResponse)), storage.ErrNotFound)
 	})
-	t.Run("error - unknown sessionID", func(t *testing.T) {
+	t.Run("error - 404 unknown sessionID", func(t *testing.T) {
 		ctx := newTestClient(t)
 
 		res, err := ctx.client.RetrieveAccessToken(nil, request)
-
-		assert.ErrorIs(t, err, storage.ErrNotFound)
+		assert.ErrorIs(t, err, core.NotFoundError(""))
 		assert.Nil(t, res)
 	})
 }