OAuth2: Validate OAuth2Client owner of refresh_tokens

r2/r2/controllers/oauth2.py

@@ -322,18 +322,21 @@ class OAuth2AccessController(MinimalController):
 
     @validate(refresh_token=VOAuth2RefreshToken("refresh_token"))
     def _access_token_refresh(self, refresh_token):
-        resp = {}
         access_token = None
         if refresh_token:
-            access_token = OAuth2AccessToken._new(
-                refresh_token.client_id, refresh_token.user_id,
-                refresh_token.scope,
-                refresh_token=refresh_token._id)
+            if refresh_token.client_id == c.oauth2_client._id:
+                access_token = OAuth2AccessToken._new(
+                    refresh_token.client_id, refresh_token.user_id,
+                    refresh_token.scope,
+                    refresh_token=refresh_token._id)
+            else:
+                c.errors.add(errors.OAUTH2_INVALID_REFRESH_TOKEN)
         else:
             c.errors.add("NO_TEXT", field="refresh_token")
 
         if c.errors:
             resp = self._check_for_errors()
+            response.status = 400
         else:
             resp = self._make_token_dict(access_token)
         return self.api_wrapper(resp)