Merge branch 'issue-213' into main. Closes #213

simonrob · simonrob · commit a43fa2e3719a · 2023-12-19T22:31:19.000Z
diff --git a/README.md b/README.md
@@ -75,7 +75,6 @@ The [sample configuration file](https://github.com/simonrob/email-oauth2-proxy/b
 
 The proxy also supports the [client credentials grant](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow) and [resource owner password credentials grant](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc) OAuth 2.0 flows if needed.
 Please note that currently only Office 365 is known to support these methods.
-In addition, when using the client credentials grant flow, Office 365 only supports IMAP/POP, [_not_ SMTP](https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-imap-and-pop-connections) (use [smtp2graph](https://github.com/EvanTrow/smtp2graph) instead here).
 See the [sample configuration file](https://github.com/simonrob/email-oauth2-proxy/blob/main/emailproxy.config) for further details.
 
 
diff --git a/emailproxy.py b/emailproxy.py
@@ -340,10 +340,10 @@ def save(store_id, config_dict):
 
 
 class AWSSecretsManagerCacheStore(CacheStore):
-    # noinspection PyGlobalUndefined,PyPackageRequirements
     @staticmethod
     def _get_boto3_client(store_id):
         try:
+            # noinspection PyGlobalUndefined
             global boto3, botocore
             import boto3
             import botocore.exceptions
@@ -752,7 +752,11 @@ def get_account_with_catch_all_fallback(option):
         try:
             # if both secret values are present we use the unencrypted version (as it may have been user-edited)
             if client_secret_encrypted and not client_secret:
-                client_secret = cryptographer.decrypt(client_secret_encrypted)
+                try:
+                    client_secret = cryptographer.decrypt(client_secret_encrypted)
+                except InvalidToken as e:  # needed to avoid looping as we don't remove secrets on decryption failure
+                    Log.error('Invalid password to decrypt', username, 'secret - aborting login:', Log.error_string(e))
+                    return False, '%s: Login failed - the password for account %s is incorrect' % (APP_NAME, username)
 
             if access_token or refresh_token:  # if possible, refresh the existing token(s)
                 if not access_token or access_token_expiry - current_time < TOKEN_EXPIRY_MARGIN:
@@ -2272,7 +2276,9 @@ class App:
     """Manage the menu bar icon, server loading, authorisation and notifications, and start the main proxy thread"""
 
     def __init__(self, args=None):
-        global CONFIG_FILE_PATH, CACHE_STORE, EXITING, prompt_toolkit
+        # noinspection PyGlobalUndefined
+        global prompt_toolkit
+        global CONFIG_FILE_PATH, CACHE_STORE, EXITING
         EXITING = False  # needed to allow restarting when imported from parent scripts (or an interpreter)
 
         parser = argparse.ArgumentParser(description='%s: transparently add OAuth 2.0 support to IMAP/POP/SMTP client '
