Add bin/auth refresh for debugging OAuth token refresh issues

Summary: Ref T2852. Provide a script for inspecting/debugging OAuth token refresh. Test Plan: Ran `bin/auth refresh` with various arguments, saw token refreshes. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2852 Differential Revision: https://secure.phabricator.com/D6276
2024-11-22 06:42:42 +01:00 · 2013-06-24 15:55:41 -07:00 · 2013-06-24 15:55:41 -07:00 · c94ef134e4
commit c94ef134e4
parent b22e52e40c
5 changed files with 161 additions and 3 deletions
--- a/scripts/setup/manage_auth.php
+++ b/scripts/setup/manage_auth.php
@ -16,6 +16,7 @@ $args->parseStandardArguments();

 $workflows = array(
  new PhabricatorAuthManagementRecoverWorkflow(),
+  new PhabricatorAuthManagementRefreshWorkflow(),
  new PhabricatorAuthManagementLDAPWorkflow(),
  new PhutilHelpArgumentWorkflow(),
 );
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@ -836,6 +836,7 @@ phutil_register_library_map(array(
    'PhabricatorAuthLoginController' => 'applications/auth/controller/PhabricatorAuthLoginController.php',
    'PhabricatorAuthManagementLDAPWorkflow' => 'applications/auth/management/PhabricatorAuthManagementLDAPWorkflow.php',
    'PhabricatorAuthManagementRecoverWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php',
+    'PhabricatorAuthManagementRefreshWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRefreshWorkflow.php',
    'PhabricatorAuthManagementWorkflow' => 'applications/auth/management/PhabricatorAuthManagementWorkflow.php',
    'PhabricatorAuthNewController' => 'applications/auth/controller/config/PhabricatorAuthNewController.php',
    'PhabricatorAuthOldOAuthRedirectController' => 'applications/auth/controller/PhabricatorAuthOldOAuthRedirectController.php',
@ -2712,6 +2713,7 @@ phutil_register_library_map(array(
    'PhabricatorAuthLoginController' => 'PhabricatorAuthController',
    'PhabricatorAuthManagementLDAPWorkflow' => 'PhabricatorAuthManagementWorkflow',
    'PhabricatorAuthManagementRecoverWorkflow' => 'PhabricatorAuthManagementWorkflow',
+    'PhabricatorAuthManagementRefreshWorkflow' => 'PhabricatorAuthManagementWorkflow',
    'PhabricatorAuthManagementWorkflow' => 'PhutilArgumentWorkflow',
    'PhabricatorAuthNewController' => 'PhabricatorAuthProviderConfigController',
    'PhabricatorAuthOldOAuthRedirectController' => 'PhabricatorAuthController',
--- a/src/applications/auth/management/PhabricatorAuthManagementRefreshWorkflow.php
+++ b/src/applications/auth/management/PhabricatorAuthManagementRefreshWorkflow.php
@ -0,0 +1,144 @@
+<?php
+
+final class PhabricatorAuthManagementRefreshWorkflow
+  extends PhabricatorAuthManagementWorkflow {
+
+  protected function didConstruct() {
+    $this
+      ->setName('refresh')
+      ->setExamples('**refresh**')
+      ->setSynopsis(
+        pht(
+          'Refresh OAuth access tokens. This is primarily useful for '.
+          'development and debugging.'))
+      ->setArguments(
+        array(
+          array(
+            'name' => 'user',
+            'param' => 'user',
+            'help' => 'Refresh tokens for a given user.',
+          ),
+          array(
+            'name' => 'type',
+            'param' => 'provider',
+            'help' => 'Refresh tokens for a given provider type.',
+          ),
+          array(
+            'name' => 'domain',
+            'param' => 'domain',
+            'help' => 'Refresh tokens for a given domain.',
+          ),
+        ));
+  }
+
+  public function execute(PhutilArgumentParser $args) {
+    $console = PhutilConsole::getConsole();
+    $viewer = PhabricatorUser::getOmnipotentUser();
+
+    $query = id(new PhabricatorExternalAccountQuery())
+      ->setViewer($viewer);
+
+    $username = $args->getArg('user');
+    if (strlen($username)) {
+      $user = id(new PhabricatorPeopleQuery())
+        ->setViewer($viewer)
+        ->withUsernames(array($username))
+        ->executeOne();
+      if ($user) {
+        $query->withUserPHIDs(array($user->getPHID()));
+      } else {
+        throw new PhutilArgumentUsageException(
+          pht('No such user "%s"!', $username));
+      }
+    }
+
+
+    $type = $args->getArg('type');
+    if (strlen($type)) {
+      $query->withAccountTypes(array($type));
+    }
+
+    $domain = $args->getArg('domain');
+    if (strlen($domain)) {
+      $query->withAccountDomains(array($domain));
+    }
+
+    $accounts = $query->execute();
+
+    if (!$accounts) {
+      throw new PhutilArgumentUsageException(
+        pht("No accounts match the arguments!"));
+    } else {
+      $console->writeOut(
+        "%s\n",
+        pht(
+          "Found %s accounts to refresh.",
+          new PhutilNumber(count($accounts))));
+    }
+
+    $providers = PhabricatorAuthProvider::getAllEnabledProviders();
+
+    foreach ($accounts as $account) {
+      $console->writeOut(
+        "%s\n",
+        pht(
+          "Refreshing account #%d (%s/%s).",
+          $account->getID(),
+          $account->getAccountType(),
+          $account->getAccountDomain()));
+
+      $key = $account->getProviderKey();
+      if (empty($providers[$key])) {
+        $console->writeOut(
+          "> %s\n",
+          pht("Skipping, provider is not enabled or does not exist."));
+        continue;
+      }
+
+      $provider = $providers[$key];
+      if (!($provider instanceof PhabricatorAuthProviderOAuth)) {
+        $console->writeOut(
+          "> %s\n",
+          pht("Skipping, provider is not an OAuth provider."));
+        continue;
+      }
+
+      $adapter = $provider->getAdapter();
+      if (!$adapter->supportsTokenRefresh()) {
+        $console->writeOut(
+          "> %s\n",
+          pht("Skipping, provider does not support token refresh."));
+        continue;
+      }
+
+      $refresh_token = $account->getProperty('oauth.token.refresh');
+      if (!$refresh_token) {
+        $console->writeOut(
+          "> %s\n",
+          pht("Skipping, provider has no stored refresh token."));
+        continue;
+      }
+
+      $console->writeOut(
+        "+ %s\n",
+        pht(
+          "Refreshing token, current token expires in %s seconds.",
+          new PhutilNumber(
+            $account->getProperty('oauth.token.access.expires') - time())));
+
+      $adapter->refreshAccessToken($refresh_token);
+
+      $console->writeOut(
+        "+ %s\n",
+        pht(
+          "Refreshed token, new token expires in %s seconds.",
+          new PhutilNumber($adapter->getAccessTokenExpires() - time())));
+
+    }
+
+    $console->writeOut("%s\n", pht("Done."));
+
+    return 0;
+  }
+
+}
--- a/src/applications/auth/provider/PhabricatorAuthProviderOAuth.php
+++ b/src/applications/auth/provider/PhabricatorAuthProviderOAuth.php
@ -284,9 +284,20 @@ abstract class PhabricatorAuthProviderOAuth extends PhabricatorAuthProvider {
  protected function willSaveAccount(PhabricatorExternalAccount $account) {
    parent::willSaveAccount($account);

-    $oauth_token = $this->getAdapter()->getAccessToken();
-    $account->setProperty('oauth.token', $oauth_token);
+    $adapter = $this->getAdapter();

+    $oauth_token = $adapter->getAccessToken();
+    $account->setProperty('oauth.token.access', $oauth_token);
+
+    if ($adapter->supportsTokenRefresh()) {
+      $refresh_token = $adapter->getRefreshToken();
+      $account->setProperty('oauth.token.refresh', $refresh_token);
+    } else {
+      $account->setProperty('oauth.token.refresh', null);
+    }
+
+    $expires = $adapter->getAccessTokenExpires();
+    $account->setProperty('oauth.token.access.expires', $expires);
  }

 }
--- a/src/applications/doorkeeper/bridge/DoorkeeperBridgeAsana.php
+++ b/src/applications/doorkeeper/bridge/DoorkeeperBridgeAsana.php
@ -35,7 +35,7 @@ final class DoorkeeperBridgeAsana extends DoorkeeperBridge {
    // right now so this is currently moot.
    $account = head($accounts);

-    $token = $account->getProperty('oauth.token');
+    $token = $account->getProperty('oauth.token.access');
    if (!$token) {
      return;
    }