-
Notifications
You must be signed in to change notification settings - Fork 450
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should a revoked refresh token result in an AuthException? #232
Comments
Thanks for the detailed write up! I'm raising this with the team to see if we can fix up this behavior. |
Another vote for this. Without being able to inform users that the link is broken, you can end up in a scenario where things like auto backups and/or syncing silently stop working, potentially resulting in data loss for the user. |
@bellissimo Thanks for the feedback! |
Hi all, has there been further discussion on how to proceed with this? |
@jonsagara This is still open with engineering, but I don't have an update on it yet. I'll follow up here once I do. |
Describe the bug
In testing a revoked refresh token used when calling
Files.ListFolderAsync
, the Dropbox SDK threw a genericHttpRequestException
with status400 Bad Request
. There is no indication of what failed or why.Here is the sample code that I ran in
LINQPad
:Here is the stack trace of the
HttpRequestException
from the request to https://api.dropbox.com/oauth2/token:Here is the raw response returned by
Fiddler
:If I make a similar request using an old-style long-lived access token, I get an
AuthException
whoseMessage
isinvalid_access_token/...
. This I can use to alert the user that my app can no longer communicate with Dropbox on their behalf.Here is the sample code:
Here is the stack trace of the
AuthException
from the request to https://api.dropboxapi.com/2/files/list_folder:Here is the raw response returned by
Fiddler
:To Reproduce
Connected Apps
in their Dropbox.com settings.Expected Behavior
When trying to use a revoked refresh token, I expect the SDK to throw an
AuthException
telling me that the refresh token is invalid or has been revoked.Actual Behavior
The SDK throws a generic
HttpRequestException
with no details as to what caused the failure.I believe the issue is in
DropboxRequestHandler.cs
in theRefreshAccessToken
method:dropbox-sdk-dotnet/dropbox-sdk-dotnet/Dropbox.Api/DropboxRequestHandler.cs
Lines 275 to 300 in dbd3a37
At line 279, it handles an
Unauthorized
response, but it doesn't handle the400 Bad Request
returned by the API. The subsequent call toresponse.EnsureSuccessStatusCode();
on line 288 causes the genericHttpRequestException
to be thrown.Would it be possible to add error handling before line 288 to throw an
AuthException
if it detects an invalid or revoked refresh token?Versions
Dropbox.Api 6.4.0
C# 9.0
Thank you,
Jon
The text was updated successfully, but these errors were encountered: