Disable introspection endpoints if disabled

CHANGELOG.md

@@ -7,6 +7,7 @@ User-visible changes worth mentioning.
 
 ## master
 
+- [#1416] Don't add introspection route if token introspection completely disabled.
 - [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
 
 ## 5.4.0

lib/doorkeeper/rails/routes.rb

@@ -38,7 +38,9 @@ def generate_routes!(options)
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes)
+          unless Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
+            map_route(:tokens, :introspect_routes)
+          end
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)

spec/routing/scoped_routes_spec.rb

@@ -4,6 +4,11 @@
 
 RSpec.describe "Scoped routes" do
   before :all do
+    Doorkeeper.configure do
+      orm DOORKEEPER_ORM
+      allow_token_introspection false
+    end
+
     Rails.application.routes.disable_clear_and_finalize = true
 
     Rails.application.routes.draw do
@@ -44,4 +49,8 @@
   it "GET /scope/token/info route to authorized TokenInfo controller" do
     expect(get("/scope/token/info")).to route_to("doorkeeper/token_info#show")
   end
+
+  it "POST /scope/introspect routes not to exist" do
+    expect(post("/scope/introspect")).not_to be_routable
+  end
 end