Add more details when reset password required error is received (#2382)

nilo-ms · web-flow · commit fc74dfe4b020 · 2024-11-07T17:34:31.000Z
* add dedicated error description when reset password required error is returned from token endpoint

* handle reset password required during token refresh

* Add new unit tests for reset password required error

* update changelog file
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## [Next release]:
+* Add native auth instructions to error description when reset password required is returned (#2582)
+
 ## [1.6.1]:
 * Support extra query parameters on logout endpoint (#2339)
 * Add support functions to help broker improve cross cloud experience (#2361)
diff --git a/MSAL/src/native_auth/network/errors/MSALNativeAuthESTSApiErrorCodes.swift b/MSAL/src/native_auth/network/errors/MSALNativeAuthESTSApiErrorCodes.swift
@@ -28,4 +28,5 @@ enum MSALNativeAuthESTSApiErrorCodes: Int {
     case invalidCredentials = 50126
     case userNotHaveAPassword = 500222
     case invalidRequestParameter = 90100
+    case resetPasswordRequired = 50142
 }
diff --git a/MSAL/src/native_auth/network/errors/MSALNativeAuthErrorMessage.swift b/MSAL/src/native_auth/network/errors/MSALNativeAuthErrorMessage.swift
@@ -45,6 +45,7 @@ enum MSALNativeAuthErrorMessage {
     static let unexpectedResponseBody = "Unexpected response body received"
     static let unexpectedChallengeType = "Unexpected challenge type"
     static let refreshTokenMFARequiredError = "Multi-factor authentication is required, which can't be fulfilled as part of this flow. Please sign out and perform a new sign in operation. More information: "
+    static let passwordResetRequired = "User password change is required, which can't be fulfilled as part of this flow. Please reset the password and perform a new sign in operation. More information: "
 }
 
 // swiftlint:enable line_length
diff --git a/MSAL/src/native_auth/network/responses/validator/token/MSALNativeAuthTokenResponseValidator.swift b/MSAL/src/native_auth/network/responses/validator/token/MSALNativeAuthTokenResponseValidator.swift
@@ -139,6 +139,19 @@ final class MSALNativeAuthTokenResponseValidator: MSALNativeAuthTokenResponseVal
         apiError: MSALNativeAuthTokenResponseError,
         context: MSIDRequestContext
     ) -> MSALNativeAuthTokenValidatedResponse {
+        var apiError = apiError
+        if apiError.errorCodes?.contains(MSALNativeAuthESTSApiErrorCodes.resetPasswordRequired.rawValue) ?? false {
+            let customErrorDescription = MSALNativeAuthErrorMessage.passwordResetRequired + (apiError.errorDescription ?? "")
+            apiError = MSALNativeAuthTokenResponseError(
+                error: apiError.error,
+                subError: apiError.subError,
+                errorDescription: customErrorDescription,
+                errorCodes: apiError.errorCodes,
+                errorURI: apiError.errorURI,
+                innerErrors: apiError.innerErrors,
+                continuationToken: apiError.continuationToken,
+                correlationId: apiError.correlationId)
+        }
         return handleInvalidResponseErrorCodes(
             apiError,
             context: context,
@@ -206,7 +219,8 @@ final class MSALNativeAuthTokenResponseValidator: MSALNativeAuthTokenResponseVal
         case .invalidCredentials:
             return .invalidPassword(apiError)
         case .userNotHaveAPassword,
-             .invalidRequestParameter:
+             .invalidRequestParameter,
+             .resetPasswordRequired:
             return .generalError(apiError)
         }
     }
@@ -219,7 +233,8 @@ final class MSALNativeAuthTokenResponseValidator: MSALNativeAuthTokenResponseVal
         case .userNotFound,
             .invalidCredentials,
             .userNotHaveAPassword,
-            .invalidRequestParameter:
+            .invalidRequestParameter,
+            .resetPasswordRequired:
             return .invalidRequest(apiError)
         }
     }
diff --git a/MSAL/src/native_auth/public/MSALNativeAuthUserAccountResult+Internal.swift b/MSAL/src/native_auth/public/MSALNativeAuthUserAccountResult+Internal.swift
@@ -90,6 +90,8 @@ extension MSALNativeAuthUserAccountResult {
         let errorCodes = error.userInfo[MSALSTSErrorCodesKey] as? [Int] ?? []
         if isMFARequiredError(errorCodes: errorCodes) {
             message = MSALNativeAuthErrorMessage.refreshTokenMFARequiredError + message
+        } else if isResetPasswordRequiredError(errorCodes: errorCodes) {
+            message = MSALNativeAuthErrorMessage.passwordResetRequired + message
         }
         let correlationId = correlationIdFromMSALError(error: error) ?? context.correlationId()
         return RetrieveAccessTokenError(type: .generalError, message: message, correlationId: correlationId, errorCodes: errorCodes)
@@ -103,4 +105,8 @@ extension MSALNativeAuthUserAccountResult {
         let mfaRequiredErrorCode = 50076
         return errorCodes.contains(mfaRequiredErrorCode)
     }
+    
+    private func isResetPasswordRequiredError(errorCodes: [Int]) -> Bool {
+        return errorCodes.contains(MSALNativeAuthESTSApiErrorCodes.resetPasswordRequired.rawValue)
+    }
 }
diff --git a/MSAL/test/unit/native_auth/network/responses/validator/MSALNativeAuthTokenResponseValidatorTests.swift b/MSAL/test/unit/native_auth/network/responses/validator/MSALNativeAuthTokenResponseValidatorTests.swift
@@ -168,6 +168,29 @@ final class MSALNativeAuthTokenResponseValidatorTest: MSALNativeAuthTestCase {
         }
     }
     
+    func test_invalidRequestResetPasswordRequired_theErrorDescriptionContainsCorrectInformation() {
+        let continuationTokenResponse = "ct"
+        let description = "reset password required"
+        let errorCodes = [50142]
+        let error = MSALNativeAuthTokenResponseError(error: .invalidRequest, subError: nil, errorDescription: description, errorCodes: errorCodes, errorURI: nil, innerErrors: nil, continuationToken: continuationTokenResponse)
+
+        let context = MSALNativeAuthRequestContext(correlationId: defaultUUID)
+        let result = sut.validate(context: context, msidConfiguration: MSALNativeAuthConfigStubs.msidConfiguration, result: .failure(error))
+        
+        guard case .error(let errorType) = result else {
+            return XCTFail("Unexpected response")
+        }
+        guard case .invalidRequest(let validatedError) = errorType else {
+            return XCTFail("Unexpected Error")
+        }
+        XCTAssertEqual(validatedError.error, .invalidRequest)
+        XCTAssertEqual(validatedError.errorDescription, MSALNativeAuthErrorMessage.passwordResetRequired + description)
+        XCTAssertEqual(validatedError.errorCodes, errorCodes)
+        XCTAssertNil(validatedError.subError)
+        XCTAssertNil(validatedError.innerErrors)
+        XCTAssertNil(validatedError.errorURI)
+    }
+    
     func test_invalidGrantMFARequired_triggerStrongAuthRequiredResponse() {
         let continuationTokenResponse = "ct"
         let error = MSALNativeAuthTokenResponseError(error: .invalidGrant, subError: .mfaRequired, errorDescription: nil, errorCodes: nil, errorURI: nil, innerErrors: nil, continuationToken: continuationTokenResponse)
diff --git a/MSAL/test/unit/native_auth/public/MSALNativeAuthUserAccountResultTests.swift b/MSAL/test/unit/native_auth/public/MSALNativeAuthUserAccountResultTests.swift
@@ -388,7 +388,26 @@ class MSALNativeAuthUserAccountResultTests: XCTestCase {
         let error = NSError(domain: "", code: 1, userInfo: userInfo)
         silentTokenProviderFactoryMock.silentTokenProvider.error = error
         let delegateExp = expectation(description: "delegateDispatcher delegate exp")
-        let expectedError = RetrieveAccessTokenError(type: .generalError, message: MSALNativeAuthErrorMessage.refreshTokenMFARequiredError + message, correlationId: correlationId, errorCodes: [50076], errorUri: nil)
+        let expectedError = RetrieveAccessTokenError(type: .generalError, message: MSALNativeAuthErrorMessage.refreshTokenMFARequiredError + message, correlationId: correlationId, errorCodes: errorCodes, errorUri: nil)
+        let delegate = CredentialsDelegateSpy(expectation: delegateExp, expectedError: expectedError)
+        sut.getAccessToken(correlationId: correlationId,
+                           delegate: delegate)
+
+        await fulfillment(of: [delegateExp])
+    }
+    
+    func test_errorWithResetPasswordRequiredErrorCode_ErrorMessageShouldContainsCorrectMessage() async {
+        let correlationId = UUID()
+        let errorCodes = [50142]
+        let message = "message"
+        let userInfo: [String : Any] = [
+            MSALErrorDescriptionKey: message,
+            MSALSTSErrorCodesKey: errorCodes
+        ]
+        let error = NSError(domain: "", code: 1, userInfo: userInfo)
+        silentTokenProviderFactoryMock.silentTokenProvider.error = error
+        let delegateExp = expectation(description: "delegateDispatcher delegate exp")
+        let expectedError = RetrieveAccessTokenError(type: .generalError, message: MSALNativeAuthErrorMessage.passwordResetRequired + message, correlationId: correlationId, errorCodes: errorCodes, errorUri: nil)
         let delegate = CredentialsDelegateSpy(expectation: delegateExp, expectedError: expectedError)
         sut.getAccessToken(correlationId: correlationId,
                            delegate: delegate)

Original file line number	Diff line number	Diff line change
`@@ -28,4 +28,5 @@ enum MSALNativeAuthESTSApiErrorCodes: Int {`
`28`	`28`	`case invalidCredentials = 50126`
`29`	`29`	`case userNotHaveAPassword = 500222`
`30`	`30`	`case invalidRequestParameter = 90100`
	`31`	`+ case resetPasswordRequired = 50142`
`31`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@ enum MSALNativeAuthErrorMessage {`
`45`	`45`	`static let unexpectedResponseBody = "Unexpected response body received"`
`46`	`46`	`static let unexpectedChallengeType = "Unexpected challenge type"`
`47`	`47`	`static let refreshTokenMFARequiredError = "Multi-factor authentication is required, which can't be fulfilled as part of this flow. Please sign out and perform a new sign in operation. More information: "`
	`48`	`+ static let passwordResetRequired = "User password change is required, which can't be fulfilled as part of this flow. Please reset the password and perform a new sign in operation. More information: "`
`48`	`49`	`}`
`49`	`50`
`50`	`51`	`// swiftlint:enable line_length`
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,8 @@ extension MSALNativeAuthUserAccountResult {`
`90`	`90`	`let errorCodes = error.userInfo[MSALSTSErrorCodesKey] as? [Int] ?? []`
`91`	`91`	`if isMFARequiredError(errorCodes: errorCodes) {`
`92`	`92`	`message = MSALNativeAuthErrorMessage.refreshTokenMFARequiredError + message`
	`93`	`+ } else if isResetPasswordRequiredError(errorCodes: errorCodes) {`
	`94`	`+ message = MSALNativeAuthErrorMessage.passwordResetRequired + message`
`93`	`95`	`}`
`94`	`96`	`let correlationId = correlationIdFromMSALError(error: error) ?? context.correlationId()`
`95`	`97`	`return RetrieveAccessTokenError(type: .generalError, message: message, correlationId: correlationId, errorCodes: errorCodes)`
`@@ -103,4 +105,8 @@ extension MSALNativeAuthUserAccountResult {`
`103`	`105`	`let mfaRequiredErrorCode = 50076`
`104`	`106`	`return errorCodes.contains(mfaRequiredErrorCode)`
`105`	`107`	`}`
	`108`	`+`
	`109`	`+ private func isResetPasswordRequiredError(errorCodes: [Int]) -> Bool {`
	`110`	`+ return errorCodes.contains(MSALNativeAuthESTSApiErrorCodes.resetPasswordRequired.rawValue)`
	`111`	`+ }`
`106`	`112`	`}`