openfoodfoundation · dacook · Jan 15, 2025 · Jan 21, 2025 · Jan 21, 2025 · Jan 22, 2025
diff --git a/app/controllers/admin/dfc_product_imports_controller.rb b/app/controllers/admin/dfc_product_imports_controller.rb
@@ -35,6 +35,15 @@ def index
       end
 
       @count = imported.compact.count
+    rescue Rack::OAuth2::Client::Error => e
+      flash[:error] = I18n.t(
+        'admin.dfc_product_imports.index.oauth_error_html',
+        message: helpers.sanitize(e.message),
+        oidc_settings_link: helpers.link_to(
+          I18n.t('spree.admin.tab.oidc_settings'), Rails.application.routes.url_helpers.admin_oidc_settings_path
+        )
+      ).html_safe
+      redirect_to admin_product_import_path
     rescue Faraday::Error,
            Addressable::URI::InvalidURIError,
            ActionController::ParameterMissing => e

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -849,6 +849,7 @@ en:
       index:
         title: "Importing a DFC product catalog"
         imported_products: "Imported products:"
+        oauth_error_html: "Authentication error: %{message}. See %{oidc_settings_link}"
     enterprise_fees:
       index:
         title: "Enterprise Fees"

diff --git a/engines/dfc_provider/app/services/dfc_request.rb b/engines/dfc_provider/app/services/dfc_request.rb
@@ -81,5 +81,11 @@ def refresh_access_token!
       token: token.access_token,
       refresh_token: token.refresh_token
     )
+    rescue Rack::OAuth2::Client::Error => e
+      @user.oidc_account.update!(
+        token: nil,
+        refresh_token: nil
+      )
+      raise
   end
 end
diff --git a/engines/dfc_provider/spec/services/dfc_request_spec.rb b/engines/dfc_provider/spec/services/dfc_request_spec.rb
@@ -63,27 +63,58 @@
     # The absence of errors makes this test pass.
   end
 
-  it "refreshes the access token and retrieves the FDC catalog", vcr: true do
-    # A refresh is only attempted if the token is stale.
-    account.uid = "testdfc@protonmail.com"
-    account.refresh_token = ENV.fetch("OPENID_REFRESH_TOKEN")
-    account.updated_at = 1.day.ago
-
-    response = nil
-    expect {
-      response = api.call(
-        "https://env-0105831.jcloud-ver-jpe.ik-server.com/api/dfc/Enterprises/test-hodmedod/SuppliedProducts"
-      )
-    }.to change {
-      account.token
-    }.and change {
-      account.refresh_token
-    }
-
-    json = JSON.parse(response)
-
-    graph = DfcIo.import(json)
-    products = graph.select { |s| s.semanticType == "dfc-b:SuppliedProduct" }
-    expect(products).to be_present
+  describe "refreshing token when stale" do
+    before do
+      account.uid = "testdfc@protonmail.com"
+      account.refresh_token = ENV.fetch("OPENID_REFRESH_TOKEN")
+      account.updated_at = 1.day.ago
+    end
+
+    it "refreshes the access token and retrieves the FDC catalog", vcr: true do
+      response = nil
+      expect {
+        response = api.call(
+          "https://env-0105831.jcloud-ver-jpe.ik-server.com/api/dfc/Enterprises/test-hodmedod/SuppliedProducts"
+        )
+      }.to change {
+        account.token
+      }.and change {
+        account.refresh_token
+      }
+
+      json = JSON.parse(response)
+
+      graph = DfcIo.import(json)
+      products = graph.select { |s| s.semanticType == "dfc-b:SuppliedProduct" }
+      expect(products).to be_present
+    end
+
+    context "with account tokens" do
+      before do
+        account.refresh_token = ENV.fetch("OPENID_REFRESH_TOKEN")
+        api.call(
+          "https://env-0105831.jcloud-ver-jpe.ik-server.com/api/dfc/Enterprises/test-hodmedod/SuppliedProducts"
+        )
+        expect(account.token).not_to be_nil
+      end
+
+      it "clears the token if authentication fails", vcr: true do
+        allow_any_instance_of(OpenIDConnect::Client).to receive(:access_token!).and_raise(
+          Rack::OAuth2::Client::Error.new(
+            1, { error: "invalid_grant", error_description: "session not active" }
+          )
+        )
+
+        expect {
+          api.call(
+            "https://env-0105831.jcloud-ver-jpe.ik-server.com/api/dfc/Enterprises/test-hodmedod/SuppliedProducts"
+          )
+        }.to raise_error(Rack::OAuth2::Client::Error).and change {
+          account.token
+        }.to(nil).and change {
+          account.refresh_token
+        }.to(nil)
+      end
+    end
   end
 end
diff --git a/spec/fixtures/vcr_cassettes/DFC_Product_Import/shows_oauth_error_message.yml b/spec/fixtures/vcr_cassettes/DFC_Product_Import/shows_oauth_error_message.yml
diff --git a/...reshing_token_when_stale/with_account_tokens/clears_the_token_if_authentication_fails.yml b/...reshing_token_when_stale/with_account_tokens/clears_the_token_if_authentication_fails.yml
diff --git a/spec/system/admin/dfc_product_import_spec.rb b/spec/system/admin/dfc_product_import_spec.rb
@@ -74,6 +74,30 @@
     expect(product.image).to be_present
   end
 
+  it "shows oauth error message", vcr: true do
+    allow_any_instance_of(DfcRequest).to receive(:refresh_access_token!).and_raise(
+      Rack::OAuth2::Client::Error.new(
+        1, { error: "invalid_grant", error_description: "session not active" }
+      )
+    )
+
+    user.update!(oidc_account: build(:testdfc_account))
+
+    visit admin_product_import_path
+
+    select enterprise.name, from: "Enterprise"
+    url = "https://env-0105831.jcloud-ver-jpe.ik-server.com/api/dfc/Enterprises/test-hodmedod/SuppliedProducts"
+    fill_in "catalog_url", with: url
+
+    click_button "Import"
+
+    within ".flash" do
+      expect(page).to have_content "invalid_grant"
+      expect(page).to have_content "session not active"
+      expect(page).to have_link "OIDC Settings"
+    end
+  end
+
   it "fails gracefully" do
     user.oidc_account.update!(
       uid: "anonymous@example.net",