Fix: Calendar timing fixes and security improvements (#87)

* fix: Calendar timing fixes and security improvements

- Fix calendar boundary refresh to enable real-time sensor updates
- Remove blocking coordinator refresh at boundary times
- Add URL sanitization to prevent token exposure in logs
- Add HTML escaping for user-provided display content
- Improve exception handling specificity
- Add JWT parsing documentation

Fixes timing issues where occupancy sensors updated at refresh times
instead of exact checkin/checkout boundaries. Also implements security
best practices from comprehensive audit.

* Fix: Remove redundant re module import

Addresses GitHub Advanced Security feedback by removing the redundant 're' module import inside _sanitize_url_for_log() method. The module is already imported at the top of the file (line 8), so the local import at line 592 was unnecessary.

Author: samspade21

custom_components/vacasa/api_client.py

@@ -443,8 +443,11 @@ async def _save_token_to_cache(self) -> None:
 
         try:
             await self._run_blocking_io(self._save_token_to_cache_sync)
-        except Exception as e:
+        except (OSError, IOError) as e:
             _LOGGER.warning("Failed to save token to cache file: %s", e)
+        except Exception as e:
+            _LOGGER.error("Unexpected error saving token to cache: %s", e)
+            raise
 
     def _load_token_from_cache_sync(self) -> bool:
         """Load the token from the cache file (synchronous helper).
@@ -581,6 +584,14 @@ def _base64_url_decode(self, input: str) -> str:
 
         return base64.urlsafe_b64decode(input).decode("utf-8")
 
+    def _sanitize_url_for_log(self, url: str) -> str:
+        """Remove sensitive tokens from URLs before logging."""
+        if "#access_token=" in url:
+            return url.split("#access_token=")[0] + "#<token_redacted>"
+        if "access_token=" in url:
+            return re.sub(r"access_token=[^&\s]+", "access_token=<redacted>", url)
+        return url
+
     def _timestamp_to_datetime(self, timestamp: int) -> datetime:
         """Convert timestamp to datetime.
 

custom_components/vacasa/calendar.py

@@ -391,16 +391,12 @@ def _handle_boundary_timer(self, scheduled_time: datetime, *, boundary: str) ->
     async def _boundary_refresh(self, boundary: str) -> None:
         """Refresh coordinator and calendar state at reservation boundaries."""
         _LOGGER.debug("Starting boundary refresh (%s) for %s", boundary, self._name)
-        try:
-            await self.coordinator.async_request_refresh()
-        except Exception as err:  # pragma: no cover - coordinator handles its own errors
-            _LOGGER.warning(
-                "Boundary refresh (%s) for %s failed: %s",
-                boundary,
-                self._name,
-                err,
-            )
 
+        # Immediately update current event using existing event cache.
+        # The calendar has sufficient cached event data from periodic coordinator updates
+        # to determine that a boundary has passed. Awaiting coordinator refresh here
+        # would block sensor updates by 3-10 seconds until the API call completes.
+        # The coordinator's normal periodic refresh cycle will fetch fresh data soon.
         await self._update_current_event()
         self.async_write_ha_state()
 

custom_components/vacasa/sensor.py

@@ -1017,12 +1017,19 @@ def _create_unit_sensors(
             )
             sensors.append(sensor)
             _LOGGER.debug("Successfully created %s for unit %s", sensor_class.__name__, unit_id)
-        except Exception as err:
+        except (ValueError, KeyError, TypeError) as err:
             _LOGGER.error(
                 "Failed to create %s for unit %s: %s",
                 sensor_class.__name__,
                 unit_id,
                 err,
+            )
+        except Exception as err:
+            _LOGGER.error(
+                "Unexpected error creating %s for unit %s: %s",
+                sensor_class.__name__,
+                unit_id,
+                err,
                 exc_info=True,
             )
     return sensors