Expired and cleaned up access tokens trigger exception when acquiring new access token via refresh token #247
Description
We're using password grant with access tokens and refresh tokens.
Now when running league:oauth2-server:clear-expired-tokens all expired access tokens (and other things) will be removed from the database. However when a refresh token is used for such an expired access token. The following error occurs:
Entity of type 'League\Bundle\OAuth2ServerBundle\Model\AccessToken' for IDs identifier(xxxxxxxx) was not found
I've debugged some why this happens, and it's because first the RefreshToken for the given id is fetched from the database. RefreshToken has a relation with AccessToken and doctrine will create a Ghost object for that id inside the refresh token. Now this Ghost object is also stored inside doctrines entity manager. Then further down the path the AccessTokenRepository::revokeAccessToken method is invoked for the access token id. Then $accessToken = $this->accessTokenManager->find($tokenId); is called, but instead this returning null as the access token doesn't exist in the database it will return the Ghost object created for the RefreshToken above.
Then the ->revoke() method will be called, doctrine will try to convert the ghost object into a real object and will throw an exception resulting in a server 500.
Solution
The relation between RefreshToken and AccessToken is optional, so when deleting access tokens when they have expired, the refresh_tokens.access_token column should also be updated.