From 0478d46568c7ec9ffd8b8a1882a4e14b928ea558 Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Fri, 25 Apr 2025 15:52:23 -0400
Subject: [PATCH] return invalid_grant when authorization request not found

---
 internal/mcp/handler_token.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/internal/mcp/handler_token.go b/internal/mcp/handler_token.go
index 53d418576..1e03d1861 100644
--- a/internal/mcp/handler_token.go
+++ b/internal/mcp/handler_token.go
@@ -55,10 +55,13 @@ func (srv *Handler) handleAuthorizationCodeToken(w http.ResponseWriter, r *http.
 	}
 
 	authReq, err := srv.storage.GetAuthorizationRequest(ctx, code.Id)
-	if err != nil {
+	if status.Code(err) == codes.NotFound {
 		oauth21.ErrorResponse(w, http.StatusBadRequest, oauth21.InvalidGrant)
 		return
 	}
+	if err != nil {
+		http.Error(w, "internal error", http.StatusInternalServerError)
+	}
 
 	err = AuthorizeTokenRequest(req, authReq)
 	if err != nil {