Clear invalid OIDC tokens

2026-02-08 22:56:06 +00:00 · 2025-02-06 16:22:29 +11:00
parent 29032a913c
commit 00a2894e93
3 changed files with 117 additions and 0 deletions
--- a/engines/dfc_provider/app/services/dfc_request.rb
+++ b/engines/dfc_provider/app/services/dfc_request.rb
@@ -84,5 +84,8 @@ class DfcRequest
      token: token.access_token,
      refresh_token: token.refresh_token
    )
+  rescue Rack::OAuth2::Client::Error
+    @user.oidc_account.update!(token: nil, refresh_token: nil)
+    raise
  end
 end
--- a/engines/dfc_provider/spec/services/dfc_request_spec.rb
+++ b/engines/dfc_provider/spec/services/dfc_request_spec.rb
@@ -58,6 +58,18 @@ RSpec.describe DfcRequest do
    # The absence of errors makes this test pass.
  end

+  it "clears invalid refresh tokens", vcr: true do
+    stub_request(:get, "http://example.net/api").to_return(status: 401)
+
+    account.refresh_token = "some-invalid-token"
+    account.updated_at = 1.day.ago
+
+    expect { api.call("http://example.net/api") }
+      .to raise_error(Rack::OAuth2::Client::Error)
+
+    expect(account.refresh_token).to eq nil
+  end
+
  it "refreshes the access token and retrieves the FDC catalog", vcr: true do
    # A refresh is only attempted if the token is stale.
    account.uid = "testdfc@protonmail.com"
--- a/spec/fixtures/vcr_cassettes/DfcRequest/clears_invalid_refresh_tokens.yml
+++ b/spec/fixtures/vcr_cassettes/DfcRequest/clears_invalid_refresh_tokens.yml