Rescue bearer_does_not_exist error on token_by_client_credentials (#489)

* rescue bearer_does_not_exist error on token_by_client_credentials Lint * Update CHANGELOG.md
zaikio · Dec 18, 2023 · d17a3e3 · d17a3e3
1 parent 0bf00ef
commit d17a3e3
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+* Added: Rescue and return no access token on `bearer_does_not_exit` error.
+
 ## 0.21.2 - 2022-10-18
 
 * Fix: Use latest access token instead of first valid one in case user granted new permissions

diff --git a/app/models/zaikio/access_token.rb b/app/models/zaikio/access_token.rb
@@ -10,6 +10,8 @@ class AccessToken < ApplicationRecord
     encrypts :refresh_token
 
     def self.build_from_access_token(access_token, requested_scopes: nil, include_refresh_token: true)
+      return if access_token.nil?
+
       payload = JWT.decode(access_token.token, nil, false).first rescue {} # rubocop:disable Style/RescueModifier
       scopes = access_token.params["scope"].split(",")
       new(

diff --git a/lib/zaikio/oauth_client.rb b/lib/zaikio/oauth_client.rb
@@ -140,7 +140,7 @@ def fetch_new_token(client_config:, bearer_type:, bearer_id:, scopes:)
           include_refresh_token: false
           # Do not store refresh token on client credentials flow
           # https://docs.zaikio.com/changelog/2022-08-09_client-credentials-drop-refresh-token.html
-        ).tap(&:save!)
+        )&.tap(&:save!)
       end
 
       def get_plain_scopes(scopes)

diff --git a/lib/zaikio/oauth_client/client_configuration.rb b/lib/zaikio/oauth_client/client_configuration.rb
@@ -46,6 +46,13 @@ def token_by_client_credentials(bearer_id: nil, bearer_type: "Person", scopes: [
         Zaikio::OAuthClient.with_oauth_scheme(:basic_auth) do
           oauth_client.client_credentials.get_token(scope: scopes_with_prefix.join(","))
         end
+      rescue OAuth2::Error => e
+        if e.response.body.include?("bearer_does_not_exist")
+          Rails.logger.error "#{bearer_type[0..2]}/#{bearer_id} does not exist"
+          return
+        end
+
+        raise e
       end
 
       class OrganizationConnection

diff --git a/test/zaikio/oauth_client_test.rb b/test/zaikio/oauth_client_test.rb
@@ -380,6 +380,34 @@ def setup
     assert_nil access_token.refresh_token # not set in client credentials
   end
 
+  test "client credentials token returns nil if bearer_not_exist" do
+    Zaikio::JWTAuth.stubs(:revoked_token_ids).returns([])
+    Zaikio::AccessToken.delete_all
+
+    stub_request(:post, "http://hub.zaikio.test/oauth/access_token")
+      .with(
+        basic_auth: %w[abc secret],
+        body: {
+          "grant_type" => "client_credentials",
+          "scope" => "Org/123.directory.something.r"
+        },
+        headers: {
+          "Accept" => "application/json"
+        }
+      )
+      .to_return(status: 402, body: {
+        errors: { scopes: ["bearer_does_not_exist"] }
+      }.to_json, headers: { "Content-Type" => "application/json" })
+
+    access_token = Zaikio::OAuthClient.get_access_token(
+      bearer_type: "Organization",
+      bearer_id: "123",
+      scopes: %w[directory.something.r]
+    )
+
+    assert_nil access_token
+  end
+
   test "use with auth helper" do
     Zaikio::JWTAuth.stubs(:revoked_token_ids).returns([])
     access_token = Zaikio::AccessToken.create!(