Catch OIDC error #13078
Catch OIDC error #13078
Conversation
I think that you invalidate tokens in Keycloak. So that's possible for manual testing but not automated testing. There we just have to mock the response. |
| ActionController::ParameterMissing => e | ||
| ActionController::ParameterMissing, | ||
| Rack::OAuth2::Client::Error => e | ||
| flash[:error] = e.message | ||
| redirect_to admin_product_import_path |
There was a problem hiding this comment.
Does the flash message persist or disappear automatically?
There was a problem hiding this comment.
In my testing I confirmed that error messages persist.
I remember this was intentional as part of the BUU update (other messages auto dismiss, but errors need to be dismissed by the user).
Thanks, can you describe how I would do that? I just tried logging in to Les Communs with the testdfc@protonmail.com details in BitWarden, but it only showed my current browser session: Is that the right account? Hmm, maybe it's because the session has ended already! I'll stage this PR and see what happens. |
dacook
added
pr-staged-au
|
Oh it's currently only connected on uk-staging. It shows the session is active, with no error: https://staging.openfoodnetwork.org.uk/admin/oidc_settings So I can see the token is valid, but don't know how to invalidate it still. |
|
Tried to test in But no luck for some reason. So I tried to manually replicate this in dev. With an invalid refresh_token, the import works as usual. I guess that's only needed for refreshing. With an invalid token, a 403 error message appears (existing functionality):
So I don't know how to reliably replicate this issue. @mkllnk do you think it would be ok to merge it as-is and see how we go? Or wait until it occurs on the staging environment, stage it, and confirm it then? |
It's not a class method, it's an instance method. You'll need |
Oops, thanks you're absolutely right. I did try that before, but now I see that I was testing it wrong that time. Will try again next week. |
I'm not sure if this can be tested easily, or needs to be.
dacook
force-pushed
the
catch-oidc-error-12987
branch
from
aee70df to
4ce2730
Compare
I forgot how hard it is to do view stuff in controllers. I tried using the short lazy-lookup key '.oauth_error_html', which is supposed to work in controllers. But perhaps it doesn't work within a rescue?
Ah, I misunderstood your initial message and didn't read that as a suggested change 😅 |
@mkllnk I made a start on this, but have to admit I'm not really sure and it might not be worth following up. Am I on the right track, or should we just stop here (at "[fixup] Sanitise content from external source") and move on? |
| rescue Rack::OAuth2::Client::Error => e | ||
| @user.oidc_account.update!( | ||
| token: nil, | ||
| refresh_token: nil | ||
| ) | ||
| throw e |
There was a problem hiding this comment.
Yes, that's what I imagined. I also imagined a custom error class but that's just nice to have.
There was a problem hiding this comment.
Thanks, that crossed my mind too but I figured it could be added later if needed.
Co-authored-by: Maikel <maikel@email.org.au>
dacook
force-pushed
the
catch-oidc-error-12987
branch
from
5bc0335 to
4e15a6e
Compare
But the test session isn't active! [skip ci]
dacook
force-pushed
the
catch-oidc-error-12987
branch
from
4e15a6e to
ec85822
Compare
| rescue Rack::OAuth2::Client::Error => e | ||
| @user.oidc_account.update!( | ||
| token: nil, | ||
| refresh_token: nil | ||
| ) | ||
| throw e |
There was a problem hiding this comment.
Thanks, that crossed my mind too but I figured it could be added later if needed.
| @@ -88,5 +88,33 @@ | |||
| products = graph.select { |s| s.semanticType == "dfc-b:SuppliedProduct" } | |||
| expect(products).to be_present | |||
| end | |||
|
|
|||
There was a problem hiding this comment.
@mkllnk I've had a go at speccing this, but in order to test that it clears the tokens, we need to set tokens first.
I've copied secret vars from Bitwarden and am able to make these requests, but the test session isn't active and results in the error "invalid_grant :: Session not active" (the exact error I'm trying to test!)
Am I doing things the long way round? Let me know if you see a better way.
Otherwise, can you please help me to refresh the session? Then hopefully the below spec will work..
There was a problem hiding this comment.
I wouldn't use VCR for this because the spec then depends on the state of your session. The one in Bitwarden is probably outdated. Use webmock. And you got the right error response to fill your example already.
There was a problem hiding this comment.
Thanks for the feedback. I had another go, but I can't seem to set up the right context for this case to work.
Maybe it's not worth trying to make the spec. What if we merge this without a spec, and see if it solves the errors?
Catches the OAuth exception listed here: https://app.bugsnag.com/yaycode/openfoodnetwork-uk/errors/66e89c5fdf0c335670df0dd3?filters%5Bevent.since%5D=all (note that the Faraday::ServerError is already handled, although I haven't added a spec for it.)
What? Why?
What should we test?
It occurs when the session dies for some reason. I'm not sure if there's a way to trigger it.
Manually triggered within a spec:
Release notes
Changelog Category (reviewers may add a label for the release notes):