From 0624fb4113eb27281853ed473bea52394ec6ba52 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Mon, 31 Jul 2023 17:54:29 -0400
Subject: [PATCH] backport of commit f3a4c01ba9e05850e255406f5bf4bc7f052c3985
 (#22140)

Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
---
 changelog/22137.txt  | 3 +++
 vault/token_store.go | 8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 changelog/22137.txt

diff --git a/changelog/22137.txt b/changelog/22137.txt
new file mode 100644
index 000000000..6f5a3bee9
--- /dev/null
+++ b/changelog/22137.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core:  Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. 
+```
\ No newline at end of file
diff --git a/vault/token_store.go b/vault/token_store.go
index d25aa629d..882206fa5 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -1691,8 +1691,14 @@ func (ts *TokenStore) lookupInternal(ctx context.Context, id string, salted, tai
 	// If we are still restoring the expiration manager, we want to ensure the
 	// token is not expired
 	if ts.expiration == nil {
-		return nil, errors.New("expiration manager is nil on tokenstore")
+		switch ts.core.IsDRSecondary() {
+		case true: // Bail if on DR secondary as expiration manager is nil
+			return nil, nil
+		default:
+			return nil, errors.New("expiration manager is nil on tokenstore")
+		}
 	}
+
 	le, err := ts.expiration.FetchLeaseTimesByToken(ctx, entry)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch lease times: %w", err)