ensure oauth tokens with no client id aren’t accepted

these should have been deleted by deleting oauth clients

jupyterhub/apihandlers/auth.py

@@ -22,6 +22,11 @@ class TokenAPIHandler(APIHandler):
         orm_token = orm.APIToken.find(self.db, token)
         if orm_token is None:
             orm_token = orm.OAuthAccessToken.find(self.db, token)
+            if orm_token and not orm_token.client_id:
+                self.log.warning("Deleting stale oauth token for %s", orm_token.user)
+                self.db.delete(orm_token)
+                self.db.commit()
+                orm_token = None
         if orm_token is None:
             raise web.HTTPError(404)
 

jupyterhub/handlers/base.py

@@ -195,7 +195,11 @@ class BaseHandler(RequestHandler):
         orm_token = orm.OAuthAccessToken.find(self.db, token)
         if orm_token is None:
             return None
-        else:
+        if orm_token and not orm_token.client_id:
+            self.log.warning("Deleting stale oauth token for %s", orm_token.user)
+            self.db.delete(orm_token)
+            self.db.commit()
+            return None
         orm_token.last_activity = \
             orm_token.user.last_activity = datetime.utcnow()
         self.db.commit()