Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-12 15:33:39 +02:00
Code Issues Activity

refactor(oauth2): apply review feedback to refresh error handling

Browse Source 
- use errors.As so wrapped *oauth2.RetrieveError still matches
- early-return on non-invalid_grant errors instead of if/else
- log UserID instead of ExternalID to avoid leaking provider-side
  identifiers (which can be username/email) into INFO logs

Co-Authored-By: Claude (Opus 4.7) <noreply@anthropic.com>
This commit is contained in:
silverwind 2026-05-07 22:54:55 +02:00
parent 600ff0cebd
commit 3dca98db92
No known key found for this signature in database
GPG Key ID: 2E62B41C93869443
1 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
services/auth/source/oauth2/source_sync.go
View File

@ -5,6 +5,7 @@ package oauth2
import ( import (
"context" "context"
"errors"
"time" "time"
user_model "code.gitea.io/gitea/models/user" user_model "code.gitea.io/gitea/models/user"
@ -49,20 +50,20 @@ func (source *Source) refresh(ctx context.Context, provider goth.Provider, u *us
token, err := provider.RefreshToken(u.RefreshToken) token, err := provider.RefreshToken(u.RefreshToken)
if err != nil { if err != nil {
if retrieveErr, ok := err.(*oauth2.RetrieveError); ok && retrieveErr.ErrorCode == "invalid_grant" { var retrieveErr *oauth2.RetrieveError
log.Info("SyncExternalUsers[%s] dropping invalid refresh token for external login %s", source.AuthSource.Name, u.ExternalID) if !errors.As(err, &retrieveErr) || retrieveErr.ErrorCode != "invalid_grant" {
// Refresh tokens can expire or be revoked independently from the
// upstream account state. Keep the local user active and only clear
// the cached tokens until the next successful OAuth sign-in updates them.
u.AccessToken = ""
u.RefreshToken = ""
u.ExpiresAt = time.Time{}
return user_model.UpdateExternalUserByExternalID(ctx, u)
} else {
return err return err
} }
log.Info("SyncExternalUsers[%s] dropping invalid refresh token for user %d", source.AuthSource.Name, u.UserID)
// Refresh tokens can expire or be revoked independently from the
// upstream account state. Keep the local user active and only clear
// the cached tokens until the next successful OAuth sign-in updates them.
u.AccessToken = ""
u.RefreshToken = ""
u.ExpiresAt = time.Time{}
return user_model.UpdateExternalUserByExternalID(ctx, u)
} }
// Otherwise, update the tokens // Otherwise, update the tokens