50 lines
1.4 KiB
Go
50 lines
1.4 KiB
Go
package handlers
|
|
|
|
import (
|
|
"context"
|
|
"log/slog"
|
|
"strings"
|
|
|
|
"atcr.io/pkg/auth/oauth"
|
|
)
|
|
|
|
// isOAuthError checks if an error indicates OAuth authentication failure
|
|
// These errors indicate the OAuth session is invalid and should be cleaned up
|
|
func isOAuthError(err error) bool {
|
|
if err == nil {
|
|
return false
|
|
}
|
|
errStr := strings.ToLower(err.Error())
|
|
return strings.Contains(errStr, "401") ||
|
|
strings.Contains(errStr, "403") ||
|
|
strings.Contains(errStr, "invalid_token") ||
|
|
strings.Contains(errStr, "invalid_grant") ||
|
|
strings.Contains(errStr, "use_dpop_nonce") ||
|
|
strings.Contains(errStr, "unauthorized") ||
|
|
strings.Contains(errStr, "token") && strings.Contains(errStr, "expired") ||
|
|
strings.Contains(errStr, "authentication failed")
|
|
}
|
|
|
|
// handleOAuthError checks if an error is OAuth-related and invalidates UI sessions if so
|
|
// Returns true if the error was an OAuth error (caller should return early)
|
|
func handleOAuthError(ctx context.Context, refresher *oauth.Refresher, did string, err error) bool {
|
|
if !isOAuthError(err) {
|
|
return false
|
|
}
|
|
|
|
slog.Warn("OAuth error detected, invalidating sessions",
|
|
"component", "handlers",
|
|
"did", did,
|
|
"error", err)
|
|
|
|
// Invalidate all UI sessions for this DID
|
|
if delErr := refresher.DeleteSession(ctx, did); delErr != nil {
|
|
slog.Warn("Failed to delete OAuth session after error",
|
|
"component", "handlers",
|
|
"did", did,
|
|
"error", delErr)
|
|
}
|
|
|
|
return true
|
|
}
|