fix: handle OAuth token validation and error handling (#462)

armando-rodriguez-cko · web-flow · commit 8a3f04842945 · 2025-03-18T13:25:10.000+01:00
Changes:
- OAuthAccessToken: Added TokenType field and improved validation logic.
- OAuthSdkCredentials: Fixed grant_type position in request payload.
- OAuthServiceResponse: Enhanced IsValid method with stricter checks.
- Tests:
  - Added tests for OAuthAccessToken validation.
  - Added tests for OAuthSdkCredentials error handling.
  - Added tests for OAuthServiceResponse validation.
  - Mocked HTTP responses for OAuth SDK credentials.
diff --git a/src/CheckoutSdk/OAuthAccessToken.cs b/src/CheckoutSdk/OAuthAccessToken.cs
@@ -5,18 +5,29 @@ namespace Checkout
     public sealed class OAuthAccessToken
     {
         public string Token { get; }
+        public string TokenType { get; }
         private readonly DateTime? _expirationDate;
 
         public static OAuthAccessToken FromOAuthServiceResponse(OAuthServiceResponse response)
         {
-            return new OAuthAccessToken(response.AccessToken,
-                DateTime.Now.Add(TimeSpan.FromSeconds(response.ExpiresIn)));
+            if (!response.IsValid())
+            {
+                throw new ArgumentException("Invalid OAuth response");
+            }
+
+            return new OAuthAccessToken(
+                response.AccessToken,
+                response.TokenType,
+                DateTime.UtcNow.Add(TimeSpan.FromSeconds(response.ExpiresIn)));
         }
 
-        private OAuthAccessToken(string token, DateTime expirationDate)
+        private OAuthAccessToken(string token, string tokenType, DateTime expirationDate)
         {
-            Token = token;
-            _expirationDate = expirationDate;
+            Token = !string.IsNullOrWhiteSpace(token) ? token : throw new ArgumentException("Token cannot be empty");
+            TokenType = !string.IsNullOrWhiteSpace(tokenType)
+                ? tokenType
+                : throw new ArgumentException("TokenType cannot be empty");
+            _expirationDate = expirationDate.ToUniversalTime();
         }
 
         public bool IsValid()
@@ -26,7 +37,7 @@ public bool IsValid()
                 return false;
             }
 
-            return _expirationDate > DateTime.Now;
+            return _expirationDate > DateTime.UtcNow;
         }
     }
 }
diff --git a/src/CheckoutSdk/OAuthSdkCredentials.cs b/src/CheckoutSdk/OAuthSdkCredentials.cs
@@ -13,7 +13,6 @@ public sealed class OAuthSdkCredentials : SdkCredentials
 #if (NETSTANDARD2_0_OR_GREATER || NETCOREAPP3_1_OR_GREATER)
         private readonly ILogger _log = LogProvider.GetLogger(typeof(OAuthSdkCredentials));
 #endif
-
         private readonly string _clientId;
         private readonly string _clientSecret;
         private readonly JsonSerializer _serializer = new JsonSerializer();
@@ -80,9 +79,9 @@ private OAuthServiceResponse Request()
                 var httpRequest = new HttpRequestMessage(HttpMethod.Post, string.Empty);
                 var data = new List<KeyValuePair<string, string>>
                 {
+                    new KeyValuePair<string, string>("grant_type", "client_credentials"),
                     new KeyValuePair<string, string>("client_id", _clientId),
                     new KeyValuePair<string, string>("client_secret", _clientSecret),
-                    new KeyValuePair<string, string>("grant_type", "client_credentials"),
                     new KeyValuePair<string, string>("scope", GetScopes())
                 };
                 httpRequest.Content = new FormUrlEncodedContent(data);
diff --git a/src/CheckoutSdk/OAuthServiceResponse.cs b/src/CheckoutSdk/OAuthServiceResponse.cs
@@ -4,13 +4,16 @@ public sealed class OAuthServiceResponse
     {
         public string AccessToken { get; set; }
 
+        public string TokenType { get; set; }
+
         public long ExpiresIn { get; set; }
 
         public string Error { get; set; }
 
-        public bool IsValid()
-        {
-            return AccessToken != null && ExpiresIn != 0 && Error == null;
-        }
+        public bool IsValid() =>
+            !string.IsNullOrWhiteSpace(AccessToken) &&
+            !string.IsNullOrWhiteSpace(TokenType) &&
+            ExpiresIn > 0 &&
+            string.IsNullOrWhiteSpace(Error);
     }
 }
diff --git a/test/CheckoutSdkTest/OAuthAccessTokenTests.cs b/test/CheckoutSdkTest/OAuthAccessTokenTests.cs
@@ -0,0 +1,38 @@
+using System;
+using Xunit;
+
+namespace Checkout
+{
+    public class OAuthAccessTokenTests
+    {
+        [Fact]
+        public void ShouldReturnTrueAndTokenWhenResponseIsValid()
+        {
+            var response = new OAuthServiceResponse
+            {
+                AccessToken = "valid_token",
+                TokenType = "Bearer",
+                ExpiresIn = 3600
+            };
+
+            var token = OAuthAccessToken.FromOAuthServiceResponse(response);
+
+            Assert.NotNull(token);
+            Assert.Equal("valid_token", token.Token);
+            Assert.True(token.IsValid());
+        }
+
+        [Fact]
+        public void ShouldThrowExceptionWhenResponseIsInvalid()
+        {
+            var response = new OAuthServiceResponse
+            {
+                AccessToken = null,
+                TokenType = "Bearer",
+                ExpiresIn = 3600
+            };
+
+            Assert.Throws<ArgumentException>(() => OAuthAccessToken.FromOAuthServiceResponse(response));
+        }
+    }
+}
diff --git a/test/CheckoutSdkTest/OAuthSdkCredentialsTests.cs b/test/CheckoutSdkTest/OAuthSdkCredentialsTests.cs
@@ -0,0 +1,91 @@
+using Moq;
+using Moq.Protected;
+using System;
+using System.Collections.Generic;
+using System.Net;
+using System.Net.Http;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using Xunit;
+
+namespace Checkout
+{
+    public class OAuthSdkCredentialsTests
+    {
+        private OAuthSdkCredentials CreateSdkCredentials(HttpResponseMessage mockResponse)
+        {
+            var mockHttpMessageHandler = new Mock<HttpMessageHandler>(MockBehavior.Strict);
+
+            mockHttpMessageHandler
+                .Protected()
+                .Setup<Task<HttpResponseMessage>>(
+                    "SendAsync",
+                    ItExpr.IsAny<HttpRequestMessage>(),
+                    ItExpr.IsAny<CancellationToken>())
+                .ReturnsAsync(mockResponse)
+                .Verifiable();
+
+            var httpClient = new HttpClient(mockHttpMessageHandler.Object)
+            {
+                BaseAddress = new Uri("https://fake-auth.com")
+            };
+
+            var httpClientFactoryMock = new Mock<IHttpClientFactory>();
+            httpClientFactoryMock
+                .Setup(_ => _.CreateClient())
+                .Returns(httpClient);
+
+            return new OAuthSdkCredentials(
+                httpClientFactoryMock.Object,
+                new Uri("https://fake-auth.com"),
+                "test_client_id",
+                "test_client_secret",
+                new HashSet<OAuthScope>()
+            );
+        }
+
+        [Fact]
+        public void ShouldReturnAuthorizationHeaderWhenTokenIsValid()
+        {
+            using var mockResponse = new HttpResponseMessage();
+            mockResponse.StatusCode = HttpStatusCode.OK;
+            mockResponse.Content = new StringContent(
+                "{\"access_token\": \"valid_token\", \"token_type\": \"Bearer\", \"expires_in\": 3600}",
+                Encoding.UTF8,
+                "application/json");
+            var sdk = CreateSdkCredentials(mockResponse);
+            sdk.InitAccess();
+
+            var authorization = sdk.GetSdkAuthorization(SdkAuthorizationType.OAuth);
+            Assert.NotNull(authorization);
+
+            string expectedHeader = $"Bearer valid_token";
+            string actualHeader = authorization.GetAuthorizationHeader();
+
+            Assert.Equal(expectedHeader, actualHeader);
+        }
+
+        [Fact]
+        public void ShouldThrowExceptionWhenApiReturnsError()
+        {
+            using var mockResponse = new HttpResponseMessage();
+            mockResponse.StatusCode = HttpStatusCode.BadRequest;
+            mockResponse.Content = new StringContent(
+                "{\"error\": \"invalid_client\"}",
+                Encoding.UTF8,
+                "application/json");
+            var sdk = CreateSdkCredentials(mockResponse);
+
+            Assert.Throws<CheckoutAuthorizationException>(() => sdk.InitAccess());
+        }
+
+        [Fact]
+        public void ShouldThrowExceptionWhenResponseHasInvalidToken()
+        {
+            var response = new OAuthServiceResponse { AccessToken = null, TokenType = "Bearer", ExpiresIn = 3600 };
+
+            Assert.Throws<ArgumentException>(() => OAuthAccessToken.FromOAuthServiceResponse(response));
+        }
+    }
+}
diff --git a/test/CheckoutSdkTest/OAuthServiceResponseTests.cs b/test/CheckoutSdkTest/OAuthServiceResponseTests.cs
@@ -0,0 +1,49 @@
+using Xunit;
+
+namespace Checkout
+{
+    public class OAuthServiceResponseTests
+    {
+        [Fact]
+        public void ShouldReturnTrueWhenResponseIsValid()
+        {
+            var response = new OAuthServiceResponse
+            {
+                AccessToken = "valid_token",
+                TokenType = "Bearer",
+                ExpiresIn = 3600,
+                Error = null
+            };
+
+            Assert.True(response.IsValid());
+        }
+
+        [Fact]
+        public void ShouldReturnFalseWhenResponseIsInvalid()
+        {
+            var response = new OAuthServiceResponse
+            {
+                AccessToken = null,
+                TokenType = "Bearer",
+                ExpiresIn = 3600,
+                Error = null
+            };
+
+            Assert.False(response.IsValid());
+        }
+
+        [Fact]
+        public void ShouldReturnFalseWhenExpiresInIsNegative()
+        {
+            var response = new OAuthServiceResponse
+            {
+                AccessToken = "valid_token",
+                TokenType = "Bearer",
+                ExpiresIn = -1,
+                Error = null
+            };
+
+            Assert.False(response.IsValid());
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -5,18 +5,29 @@ namespace Checkout`
`5`	`5`	`public sealed class OAuthAccessToken`
`6`	`6`	`{`
`7`	`7`	`public string Token { get; }`
	`8`	`+ public string TokenType { get; }`
`8`	`9`	`private readonly DateTime? _expirationDate;`
`9`	`10`
`10`	`11`	`public static OAuthAccessToken FromOAuthServiceResponse(OAuthServiceResponse response)`
`11`	`12`	`{`
`12`		`- return new OAuthAccessToken(response.AccessToken,`
`13`		`- DateTime.Now.Add(TimeSpan.FromSeconds(response.ExpiresIn)));`
	`13`	`+ if (!response.IsValid())`
	`14`	`+ {`
	`15`	`+ throw new ArgumentException("Invalid OAuth response");`
	`16`	`+ }`
	`17`	`+`
	`18`	`+ return new OAuthAccessToken(`
	`19`	`+ response.AccessToken,`
	`20`	`+ response.TokenType,`
	`21`	`+ DateTime.UtcNow.Add(TimeSpan.FromSeconds(response.ExpiresIn)));`
`14`	`22`	`}`
`15`	`23`
`16`		`- private OAuthAccessToken(string token, DateTime expirationDate)`
	`24`	`+ private OAuthAccessToken(string token, string tokenType, DateTime expirationDate)`
`17`	`25`	`{`
`18`		`- Token = token;`
`19`		`- _expirationDate = expirationDate;`
	`26`	`+ Token = !string.IsNullOrWhiteSpace(token) ? token : throw new ArgumentException("Token cannot be empty");`
	`27`	`+ TokenType = !string.IsNullOrWhiteSpace(tokenType)`
	`28`	`+ ? tokenType`
	`29`	`+ : throw new ArgumentException("TokenType cannot be empty");`
	`30`	`+ _expirationDate = expirationDate.ToUniversalTime();`
`20`	`31`	`}`
`21`	`32`
`22`	`33`	`public bool IsValid()`
`@@ -26,7 +37,7 @@ public bool IsValid()`
`26`	`37`	`return false;`
`27`	`38`	`}`
`28`	`39`
`29`		`- return _expirationDate > DateTime.Now;`
	`40`	`+ return _expirationDate > DateTime.UtcNow;`
`30`	`41`	`}`
`31`	`42`	`}`
`32`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,13 +4,16 @@ public sealed class OAuthServiceResponse`
`4`	`4`	`{`
`5`	`5`	`public string AccessToken { get; set; }`
`6`	`6`
	`7`	`+ public string TokenType { get; set; }`
	`8`	`+`
`7`	`9`	`public long ExpiresIn { get; set; }`
`8`	`10`
`9`	`11`	`public string Error { get; set; }`
`10`	`12`
`11`		`- public bool IsValid()`
`12`		`- {`
`13`		`- return AccessToken != null && ExpiresIn != 0 && Error == null;`
`14`		`- }`
	`13`	`+ public bool IsValid() =>`
	`14`	`+ !string.IsNullOrWhiteSpace(AccessToken) &&`
	`15`	`+ !string.IsNullOrWhiteSpace(TokenType) &&`
	`16`	`+ ExpiresIn > 0 &&`
	`17`	`+ string.IsNullOrWhiteSpace(Error);`
`15`	`18`	`}`
`16`	`19`	`}`