From b73691e09d1784d9c199a15985eb12f63022c184 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Mon, 19 Feb 2024 14:42:07 +0100
Subject: [PATCH] Fix nil deref when introspection a public client token

---
 oauth2.go | 12 ++++++------

diff --git a/oauth2.go b/oauth2.go
index 38eb74c41fbb30da595a0d1b397e89059860a584..ae6e541939862144617451aed35b05a7013dc522 100644
--- a/oauth2.go
+++ b/oauth2.go
@@ -320,17 +320,17 @@
 	var resp oauth2.IntrospectionResp
 	if token != nil {
 		if client == nil {
+			client, err = db.FetchClient(ctx, token.Client)
+			if err != nil {
+				oauthError(w, fmt.Errorf("failed to fetch client: %v", err))
+				return
+			}
+
 			if !client.IsPublic() {
 				oauthError(w, &oauth2.Error{
 					Code:        oauth2.ErrorCodeInvalidClient,
 					Description: "Missing client ID and secret",
 				})
-				return
-			}
-
-			client, err = db.FetchClient(ctx, token.Client)
-			if err != nil {
-				oauthError(w, fmt.Errorf("failed to fetch client: %v", err))
 				return
 			}
 		}

-- 
2.48.1