fix(oauth2): Show OAuth2 error on account page if token renewal faile…

…d due to invalid grant
postalsys · Mar 27, 2024 · 70f7bc8 · 70f7bc8
1 parent 4d4be15
commit 70f7bc8
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 0 deletions.
diff --git a/lib/account.js b/lib/account.js
@@ -2087,6 +2087,10 @@ class Account {
                 user: accountData.oauth2.auth.user
             });
 
+            if (r.tokenRequest?.userFlag) {
+                await this.update({ account: accountData.account, oauth2: { partial: true, userFlag: r.tokenRequest?.userFlag } });
+            }
+
             if (!r.access_token) {
                 throw new Error('Failed to renew token');
             }
@@ -2105,6 +2109,7 @@ class Account {
             }
 
             accountData.oauth2 = Object.assign(accountData.oauth2 || {}, updates);
+            delete accountData.oauth2.userFlag;
 
             this.logger.info({
                 msg: 'Renewed OAuth2 access token',

diff --git a/lib/oauth/gmail.js b/lib/oauth/gmail.js
@@ -62,6 +62,23 @@ const checkForFlags = err => {
     return false;
 };
 
+const checkForUserFlags = err => {
+    if (!err || typeof err !== 'object') {
+        return false;
+    }
+
+    let { error, error_description: description } = err;
+
+    if (error === 'invalid_grant') {
+        return {
+            message: 'Failed to renew the access token for the user',
+            description
+        };
+    }
+
+    return false;
+};
+
 const formatFetchBody = (searchParams, logRaw) => {
     let data = Object.fromEntries(searchParams);
 
@@ -352,6 +369,11 @@ class GmailOauth {
                     await this.setFlag(flag);
                     err.tokenRequest.flag = flag;
                 }
+
+                let userFlag = checkForUserFlags(err.tokenRequest.response);
+                if (userFlag) {
+                    err.tokenRequest.userFlag = userFlag;
+                }
             } catch (err) {
                 // ignore
             }

diff --git a/lib/oauth/outlook.js b/lib/oauth/outlook.js
@@ -41,6 +41,30 @@ const checkForFlags = err => {
     return false;
 };
 
+const checkForUserFlags = err => {
+    if (!err || typeof err !== 'object') {
+        return false;
+    }
+
+    let { error, error_description: description } = err;
+
+    if (error === 'invalid_grant' && /user might have changed or reset their password/i.test(description)) {
+        return {
+            message: 'The user changed their email account password and OAuth2 grant was revoked. Ask the user to re-authenticate.',
+            description
+        };
+    }
+
+    if (error === 'invalid_grant') {
+        return {
+            message: 'Failed to renew the access token for the user',
+            description
+        };
+    }
+
+    return false;
+};
+
 const formatFetchBody = (searchParams, logRaw) => {
     let data = Object.fromEntries(searchParams);
 
@@ -292,6 +316,11 @@ class OutlookOauth {
                 if (flag) {
                     await this.setFlag(flag);
                 }
+
+                let userFlag = checkForUserFlags(err.tokenRequest.response);
+                if (userFlag) {
+                    err.tokenRequest.userFlag = userFlag;
+                }
             } catch (err) {
                 // ignore
             }

diff --git a/views/accounts/account.hbs b/views/accounts/account.hbs
@@ -195,6 +195,21 @@
     </div>
     <div class="card-body">
 
+        {{#if account.oauth2.userFlag.message }}
+        <div class="alert alert-danger">{{account.oauth2.userFlag.message}}
+
+            {{#if account.oauth2.userFlag.description}}
+            <hr>
+            <p class="mb-0">
+                <small>{{account.oauth2.userFlag.description}}</small>
+            </p>
+            {{/if}}
+
+        </div>
+        <hr>
+
+        {{/if}}
+
         <dl class="row">
 
             {{#if account.oauth2.provider}}