Handle 401 Unauthorized during token refresh

spewu · spewu · commit a1fd0a63bf7c · 2025-11-19T13:57:30.000+01:00
- Added try-catch for handling FlurlHttpException with status code 401 when refreshing tokens.
- Clears stored tokens and improves error logging.
- Updated SignalRHostedService to return null on failed token refresh, preventing continuous auth attempts and triggering reconnect.
- Enhanced fallback behavior for network/server errors during token refresh.
diff --git a/ProReception.DistributionServerInfrastructure/HostedServices/SignalRHostedService.cs b/ProReception.DistributionServerInfrastructure/HostedServices/SignalRHostedService.cs
@@ -153,15 +153,23 @@ private async Task LoginAndCreateSignalRConnection(CancellationToken cancellatio
                                 current = await proReceptionApiClient.RefreshAndSaveTokens(current);
                                 logger.LogInformation("SignalR AccessTokenProvider: token refreshed");
                             }
+                            catch (FlurlHttpException ex) when (ex.StatusCode == 401)
+                            {
+                                logger.LogError(ex, "SignalR AccessTokenProvider: Token refresh failed with 401 Unauthorized. Tokens have been cleared. Returning null to stop authentication attempts.");
+                                // Return null to signal authentication failure
+                                // This will cause SignalR connection to fail and trigger the Closed event
+                                // The Closed event handler will restart ExecuteStartUp which waits for new tokens
+                                return null;
+                            }
                             catch (Exception ex)
                             {
-                                logger.LogError(ex, "SignalR AccessTokenProvider: CRITICAL - failed to refresh token, using existing token");
-                                // Return existing token (may fail with 401 and trigger reconnect)
-                                // Don't throw - let SignalR handle the authentication failure and reconnect
+                                logger.LogError(ex, "SignalR AccessTokenProvider: Failed to refresh token due to network/server error, attempting with existing token");
+                                // For non-401 errors (network issues, server errors, etc.), try with existing token
+                                // It might work, or fail and trigger reconnect
                                 if (string.IsNullOrWhiteSpace(current.AccessToken))
                                 {
-                                    logger.LogError("SignalR AccessTokenProvider: No valid token available, returning empty string");
-                                    return string.Empty;
+                                    logger.LogError("SignalR AccessTokenProvider: No valid token available, returning null");
+                                    return null;
                                 }
                             }
                         }
diff --git a/ProReception.DistributionServerInfrastructure/ProReceptionApi/ApiClientBase.cs b/ProReception.DistributionServerInfrastructure/ProReceptionApi/ApiClientBase.cs
@@ -69,12 +69,21 @@ public async Task<TokensRecord> RefreshAndSaveTokens(TokensRecord tokensRecord)
     {
         _logger.LogInformation("Refreshing ProReception tokens...");
 
-        var response = await _configuration.BaseUrl
-            .AppendPathSegment("auth/refresh")
-            .PostJsonAsync(new { tokensRecord.AccessToken, tokensRecord.RefreshToken })
-            .ReceiveJson<TokenResponse>();
+        try
+        {
+            var response = await _configuration.BaseUrl
+                .AppendPathSegment("auth/refresh")
+                .PostJsonAsync(new { tokensRecord.AccessToken, tokensRecord.RefreshToken })
+                .ReceiveJson<TokenResponse>();
 
-        return await SaveTokensToSettings(response);
+            return await SaveTokensToSettings(response);
+        }
+        catch (FlurlHttpException ex) when (ex.StatusCode == 401)
+        {
+            _logger.LogWarning("Token refresh failed with 401 Unauthorized. Clearing stored tokens.");
+            await _settingsManagerBase.RemoveTokens();
+            throw; // Re-throw so caller knows refresh failed
+        }
     }
 
     public async Task<T> Query<T>(Func<IFlurlRequest, Task<T>> getRequestFunc) =>
@@ -127,8 +136,15 @@ private async Task<string> GetAccessTokenAsync()
             return tokensRecord.AccessToken;
         }
 
-        var refreshedTokens = await RefreshAndSaveTokens(tokensRecord);
-
-        return refreshedTokens.AccessToken;
+        try
+        {
+            var refreshedTokens = await RefreshAndSaveTokens(tokensRecord);
+            return refreshedTokens.AccessToken;
+        }
+        catch (FlurlHttpException ex) when (ex.StatusCode == 401)
+        {
+            // Tokens were already cleared in RefreshAndSaveTokens
+            throw new InvalidOperationException("Your session has expired. Please log in again.", ex);
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -153,15 +153,23 @@ private async Task LoginAndCreateSignalRConnection(CancellationToken cancellatio`
`153`	`153`	`current = await proReceptionApiClient.RefreshAndSaveTokens(current);`
`154`	`154`	`logger.LogInformation("SignalR AccessTokenProvider: token refreshed");`
`155`	`155`	`}`
	`156`	`+ catch (FlurlHttpException ex) when (ex.StatusCode == 401)`
	`157`	`+ {`
	`158`	`+ logger.LogError(ex, "SignalR AccessTokenProvider: Token refresh failed with 401 Unauthorized. Tokens have been cleared. Returning null to stop authentication attempts.");`
	`159`	`+ // Return null to signal authentication failure`
	`160`	`+ // This will cause SignalR connection to fail and trigger the Closed event`
	`161`	`+ // The Closed event handler will restart ExecuteStartUp which waits for new tokens`
	`162`	`+ return null;`
	`163`	`+ }`
`156`	`164`	`catch (Exception ex)`
`157`	`165`	`{`
`158`		`- logger.LogError(ex, "SignalR AccessTokenProvider: CRITICAL - failed to refresh token, using existing token");`
`159`		`- // Return existing token (may fail with 401 and trigger reconnect)`
`160`		`- // Don't throw - let SignalR handle the authentication failure and reconnect`
	`166`	`+ logger.LogError(ex, "SignalR AccessTokenProvider: Failed to refresh token due to network/server error, attempting with existing token");`
	`167`	`+ // For non-401 errors (network issues, server errors, etc.), try with existing token`
	`168`	`+ // It might work, or fail and trigger reconnect`
`161`	`169`	`if (string.IsNullOrWhiteSpace(current.AccessToken))`
`162`	`170`	`{`
`163`		`- logger.LogError("SignalR AccessTokenProvider: No valid token available, returning empty string");`
`164`		`- return string.Empty;`
	`171`	`+ logger.LogError("SignalR AccessTokenProvider: No valid token available, returning null");`
	`172`	`+ return null;`
`165`	`173`	`}`
`166`	`174`	`}`
`167`	`175`	`}`