Merge pull request #201 from intuit/release-4.2.2

rajeshgupta723 · web-flow · commit b2476be89bf2 · 2025-11-09T19:28:57.000-08:00
Fix critical OAuth bugs and improve error handling
diff --git a/sample/app.js b/sample/app.js
@@ -51,11 +51,28 @@ app.get('/', function (req, res) {
  * Get the AuthorizeUri
  */
 app.get('/authUri', urlencodedParser, function (req, res) {
+  // Trim all input values to prevent whitespace issues
+  const clientId = (req.query.json.clientId || '').trim();
+  const clientSecret = (req.query.json.clientSecret || '').trim();
+  const environment = (req.query.json.environment || '').trim();
+  const redirectUri = (req.query.json.redirectUri || '').trim();
+
+  // Validate inputs
+  if (!clientId || !clientSecret || !environment || !redirectUri) {
+    return res.status(400).send('Missing required parameters');
+  }
+
+  console.log('\n=== Creating OAuth Client ===');
+  console.log('Client ID:', clientId.substring(0, 10) + '...');
+  console.log('Environment:', environment);
+  console.log('Redirect URI:', redirectUri);
+  console.log('=============================\n');
+
   oauthClient = new OAuthClient({
-    clientId: req.query.json.clientId,
-    clientSecret: req.query.json.clientSecret,
-    environment: req.query.json.environment,
-    redirectUri: req.query.json.redirectUri,
+    clientId,
+    clientSecret,
+    environment,
+    redirectUri,
     logging: true,        //NOTE: a "logs" folder will be created/used in the current working directory, this will have oAuthClient-log.log 
   });
 
@@ -70,13 +87,34 @@ app.get('/authUri', urlencodedParser, function (req, res) {
  * Handle the callback to extract the `Auth Code` and exchange them for `Bearer-Tokens`
  */
 app.get('/callback', function (req, res) {
+  console.log('\n=== OAuth Callback Received ===');
+  console.log('Full callback URL:', req.url);
+  console.log('Query params:', req.query);
+  console.log('===============================\n');
+
   oauthClient
     .createToken(req.url)
     .then(function (authResponse) {
       oauth2_token_json = JSON.stringify(authResponse.json, null, 2);
+      console.log('✅ Token creation successful!');
+      console.log('Token details:', {
+        has_access_token: !!authResponse.json.access_token,
+        has_refresh_token: !!authResponse.json.refresh_token,
+        realmId: authResponse.json.realmId,
+      });
     })
     .catch(function (e) {
-      console.error(e);
+      console.error('\n❌ Token creation failed!');
+      console.error('Error:', e.error || e.message);
+      console.error('Error description:', e.error_description);
+      console.error('Intuit TID:', e.intuit_tid);
+      console.error('Full error:', e);
+      console.error('\nPossible causes:');
+      console.error('1. Authorization code already used (codes are single-use)');
+      console.error('2. Redirect URI mismatch');
+      console.error('3. Invalid client credentials');
+      console.error('4. Authorization code expired (10 minute limit)');
+      console.error('\nSolution: Try authorizing again with "Connect to QuickBooks"\n');
     });
 
   res.send('');
@@ -109,13 +147,55 @@ app.get('/refreshAccessToken', function (req, res) {
  * getCompanyInfo ()
  */
 app.get('/getCompanyInfo', function (req, res) {
-  const companyID = oauthClient.getToken().realmId;
+  // Validate that we have a valid oauth client and tokens
+  if (!oauthClient) {
+    return res.status(400).json({
+      error: true,
+      message: 'OAuth client not initialized. Please connect to QuickBooks first.',
+    });
+  }
+
+  const token = oauthClient.getToken();
+  
+  // Check if we have a valid access token
+  if (!token.access_token) {
+    return res.status(401).json({
+      error: true,
+      message: 'No access token available. Please connect to QuickBooks first.',
+      hint: 'Click "Connect to QuickBooks" button and complete authorization.',
+    });
+  }
+
+  // Check if access token is still valid
+  if (!oauthClient.isAccessTokenValid()) {
+    return res.status(401).json({
+      error: true,
+      message: 'Access token has expired. Please refresh the token or reconnect.',
+      hint: 'Click "Refresh Token" button to get a new access token.',
+    });
+  }
+
+  const companyID = token.realmId;
+
+  if (!companyID) {
+    return res.status(400).json({
+      error: true,
+      message: 'No company ID (realmId) available.',
+    });
+  }
 
   const url =
     oauthClient.environment == 'sandbox'
       ? OAuthClient.environment.sandbox
       : OAuthClient.environment.production;
 
+  console.log(`\n=== Making API Call ===`);
+  console.log(`Company ID: ${companyID}`);
+  console.log(`Environment: ${oauthClient.environment}`);
+  console.log(`URL: ${url}v3/company/${companyID}/companyinfo/${companyID}`);
+  console.log(`Access Token Length: ${token.access_token.length}`);
+  console.log('======================\n');
+
   oauthClient
     .makeApiCall({ url: `${url}v3/company/${companyID}/companyinfo/${companyID}` })
     .then(function (authResponse) {
@@ -124,14 +204,31 @@ app.get('/getCompanyInfo', function (req, res) {
       res.send(resp);
     })
     .catch(function (e) {
+      // Check if it's an OAuthError with detailed information
+      console.error('\n=== API Call Error ===');
+      console.error('Error Name:', e.name);
+      console.error('Error Message:', e.message);
+      
+      if (e.code) {
+        console.error('Error Code:', e.code);
+      }
+      
+      if (e.description) {
+        console.error('Error Description:', e.description);
+      }
+      
+      if (e.intuitTid) {
+        console.error('Intuit Transaction ID:', e.intuitTid);
+      }
+
       // Detailed error analysis
       const errorAnalysis = {
         // Basic error properties
         basic: {
           name: e.name,
           message: e.message,
           stack: e.stack,
-          code: e.code
+          code: e.code,
         },
         // Response analysis
         response: e.response ? {
@@ -148,41 +245,49 @@ app.get('/getCompanyInfo', function (req, res) {
               detail: err.Detail,
               code: err.code,
               element: err.element,
-              additionalInfo: err.additionalInfo
+              additionalInfo: err.additionalInfo,
             })) : null,
-            timestamp: e.response.data.time
+            timestamp: e.response.data.time,
           } : null),
           // OAuth error fields
           oauth: {
-            error:e.response.data && e.response.data.error,
-            error_description: e.response.data && e.response.data.error_description
-          }
+            error: e.response.data && e.response.data.error,
+            error_description: e.response.data && e.response.data.error_description,
+          },
         } : null,
         // Request analysis
         request: e.request ? {
           method: e.request.method,
           path: e.request.path,
-          headers: e.request.headers
-        } : null
+          headers: e.request.headers,
+        } : null,
       };
 
       // Log the detailed error analysis
       console.error('Exception Analysis:', {
         hasFaultObject: !!(e.response && e.response.data && e.response.data.Fault),
         faultType: e.response && e.response.data && e.response.data.Fault && e.response.data.Fault.type,
         faultErrors: e.response && e.response.data && e.response.data.Fault && e.response.data.Fault.Error,
-        fullAnalysis: errorAnalysis
+        fullAnalysis: errorAnalysis,
       });
+      
+      console.error('======================\n');
 
-      // Send error response to client
-      res.status(e.response ? e.response.status : 500).json({
+      // Send error response to client with more detail
+      const status = e.response ? e.response.status : 500;
+      const errorResponse = {
         error: true,
         message: e.message,
+        code: e.code,
+        description: e.description,
+        intuitTid: e.intuitTid,
         fault: e.response && e.response.data && e.response.data.Fault ? {
           type: e.response.data.Fault.type,
-          errors: e.response.data.Fault.Error
-        } : null
-      });
+          errors: e.response.data.Fault.Error,
+        } : null,
+      };
+      
+      res.status(status).json(errorResponse);
     });
 });
 
diff --git a/sample/package.json b/sample/package.json
@@ -17,7 +17,7 @@
     "ejs": "^3.1.9",
     "express": "^4.14.0",
     "express-session": "^1.14.2",
-    "intuit-oauth": "^4.1.0",
+    "intuit-oauth": "4.2.2",
     "ngrok": "^5.0.0-beta.2",
     "path": "^0.12.7"
   },
diff --git a/src/OAuthClient.js b/src/OAuthClient.js
@@ -202,16 +202,31 @@ function safeStringify(obj) {
 OAuthClient.prototype.createToken = function createToken(uri) {
   return new Promise((resolve) => {
     if (!uri) throw new Error('Provide the Uri');
-    const params = queryString.parse(uri.split('?').reverse()[0]);
-    this.getToken().realmId = params.realmId ? params.realmId : '';
-    if ('state' in params) this.getToken().state = params.state;
+    // Safely parse query string from URI
+    const queryIndex = uri.indexOf('?');
+    const queryPart = queryIndex !== -1 ? uri.substring(queryIndex + 1) : uri;
+    const params = queryString.parse(queryPart);
+    
+    // Fix: Directly access token object instead of getToken() which returns a copy
+    this.token.realmId = params.realmId || '';
+    if ('state' in params) this.token.state = params.state;
 
     const body = {};
     if (params.code) {
       body.grant_type = 'authorization_code';
       body.code = params.code;
       body.redirect_uri = params.redirectUri || this.redirectUri;
     }
+    
+    // Log request details for debugging (without sensitive data)
+    this.log('info', 'Token exchange request:', {
+      grant_type: body.grant_type,
+      code_length: body.code ? body.code.length : 0,
+      redirect_uri: body.redirect_uri,
+      has_code: !!body.code,
+      realmId: this.token.realmId,
+      state: this.token.state,
+    });
 
     const request = {
       url: OAuthClient.tokenEndpoint,
@@ -680,13 +695,19 @@ OAuthClient.prototype.validateIdToken = function validateIdToken(params = {}) {
     const id_token_payload = JSON.parse(atob(token_parts[1]));
 
     // Step 1 : First check if the issuer is as mentioned in "issuer"
-    if (id_token_payload.iss !== 'https://oauth.platform.intuit.com/op/v1') return false;
+    if (id_token_payload.iss !== 'https://oauth.platform.intuit.com/op/v1') {
+      throw new Error('Invalid issuer in ID token');
+    }
 
     // Step 2 : check if the aud field in idToken contains application's clientId
-    if (!id_token_payload.aud.find((audience) => audience === this.clientId)) return false;
+    if (!id_token_payload.aud.find((audience) => audience === this.clientId)) {
+      throw new Error('Invalid audience in ID token');
+    }
 
     // Step 3 : ensure the timestamp has not elapsed
-    if (id_token_payload.exp < Date.now() / 1000) return false;
+    if (id_token_payload.exp < Date.now() / 1000) {
+      throw new Error('ID token has expired');
+    }
 
     const request = {
       url: OAuthClient.jwks_uri,
@@ -726,6 +747,9 @@ OAuthClient.prototype.getKeyFromJWKsURI = function getKeyFromJWKsURI(id_token, k
       if (Number(response.status) !== 200) throw new Error('Could not reach JWK endpoint');
       // Find the key by KID
       const key = response.data.keys.find((el) => el.kid === kid);
+      if (!key) {
+        throw new Error(`Key with kid "${kid}" not found in JWKS`);
+      }
       const cert = this.getPublicKey(key.n, key.e);
 
       return jwt.verify(id_token, cert);
diff --git a/test/error-handling-demo.js b/test/error-handling-demo.js
