Add Stripe App OAuth scheduled refresh connection (#3346)

* Add Stripe App OAuth scheduled refresh connection
* Unschedule connection refresh when saving keys for connect
* Remove connection_type and refresh_token from settings when disconnecting
---------
Co-authored-by: James Allan <[email protected]>

Author: diegocurbelo

includes/admin/class-wc-rest-stripe-account-keys-controller.php

@@ -265,7 +265,11 @@ public function set_account_keys( WP_REST_Request $request ) {
 							&& ! $settings['test_secret_key'];
 
 		if ( $is_deleting_account ) {
-			$settings['enabled'] = 'no';
+			$settings['enabled']              = 'no';
+			$settings['connection_type']      = '';
+			$settings['test_connection_type'] = '';
+			$settings['refresh_token']        = '';
+			$settings['test_refresh_token']   = '';
 			$this->record_manual_account_disconnect_track_event( 'yes' === $settings['testmode'] );
 		} else {
 			$this->record_manual_account_key_update_track_event( 'yes' === $settings['testmode'] );

includes/connect/class-wc-stripe-connect-api.php

@@ -88,6 +88,24 @@ public function get_stripe_oauth_keys( $code, $type = 'connect', $mode = 'live'
 			return $this->request( 'POST', $path, $request );
 		}
 
+		/**
+		 * Sends a request to the Connect Server for Stripe App refreshed keys.
+		 *
+		 * @since 8.6.0
+		 *
+		 * @param string $refresh_token Stripe App OAuth refresh token.
+		 * @param string $mode          Optional. The mode to refresh keys for. 'live' or 'test'. Default is 'live'.
+		 *
+		 * @return array
+		 */
+		public function refresh_stripe_app_oauth_keys( $refresh_token, $mode = 'live' ) {
+			$request = [
+				'refreshToken' => $refresh_token,
+				'mode'         => $mode,
+			];
+			return $this->request( 'POST', '/stripe/app-oauth-keys-refresh', $request );
+		}
+
 		/**
 		 * General OAuth request method.
 		 *

includes/connect/class-wc-stripe-connect.php

@@ -27,6 +27,9 @@ class WC_Stripe_Connect {
 		public function __construct( WC_Stripe_Connect_API $api ) {
 			$this->api = $api;
 
+			// refresh the connection, triggered by Action Scheduler
+			add_action( 'wc_stripe_refresh_connection', [ $this, 'refresh_connection' ] );
+
 			add_action( 'admin_init', [ $this, 'maybe_handle_redirect' ] );
 		}
 
@@ -166,6 +169,20 @@ private function save_stripe_keys( $result, $type = 'connect', $mode = 'live' )
 
 			update_option( self::SETTINGS_OPTION, $options );
 
+			// Similar to what we do for webhooks, we save some stats to help debug oauth problems.
+			update_option( 'wc_stripe_' . $prefix . 'oauth_updated_at', time() );
+			update_option( 'wc_stripe_' . $prefix . 'oauth_failed_attempts', 0 );
+			update_option( 'wc_stripe_' . $prefix . 'oauth_last_failed_at', '' );
+
+			if ( 'app' === $type ) {
+				// Stripe App OAuth access_tokens expire after 1 hour:
+				// https://docs.stripe.com/stripe-apps/api-authentication/oauth#refresh-access-token
+				$this->schedule_connection_refresh();
+			} else {
+				// Make sure that all refresh actions are cancelled if they haven't connected via the app.
+				$this->unschedule_connection_refresh();
+			}
+
 			try {
 				// Automatically configure webhooks for the account now that we have the keys.
 				WC_Stripe::get_instance()->account->configure_webhooks( $is_test ? 'test' : 'live', $secret_key );
@@ -247,6 +264,26 @@ public function is_connected_via_oauth( $mode = 'live' ) {
 			return isset( $options[ $key ] ) && in_array( $options[ $key ], [ 'connect', 'app' ], true );
 		}
 
+		/**
+		 * Determines if the store is using a Stripe App OAuth connection.
+		 *
+		 * @since 8.6.0
+		 *
+		 * @param string $mode Optional. The mode to check. 'live' | 'test' | null (default: null).
+		 * @return bool True if connected via Stripe App OAuth, false otherwise.
+		 */
+		public function is_connected_via_app_oauth( $mode = null ) {
+			$options = get_option( self::SETTINGS_OPTION, [] );
+
+			// If the mode is not provided, we'll check the current mode.
+			if ( is_null( $mode ) ) {
+				$mode = isset( $options['testmode'] ) && 'yes' === $options['testmode'] ? 'test' : 'live';
+			}
+			$key = 'test' === $mode ? 'test_connection_type' : 'connection_type';
+
+			return isset( $options[ $key ] ) && 'app' === $options[ $key ];
+		}
+
 		/**
 		 * Records a track event after the user is redirected back to the store from the Stripe UX.
 		 *
@@ -265,5 +302,83 @@ private function record_account_connect_track_event( bool $had_error ) {
 			// a queue wouldn't be processed due to the redirect that comes after.
 			WC_Tracks::record_event( $event_name, [ 'is_test_mode' => $is_test ] );
 		}
+
+		/**
+		 * Schedules the App OAuth connection refresh.
+		 *
+		 * @since 8.6.0
+		 */
+		private function schedule_connection_refresh() {
+			if ( ! $this->is_connected_via_app_oauth() ) {
+				return;
+			}
+
+			/**
+			 * Filters the frequency with which the App OAuth connection should be refreshed.
+			 * Access tokens expire in 1 hour, and there seem to be no way to customize that from the Stripe Dashboard:
+			 * https://docs.stripe.com/stripe-apps/api-authentication/oauth#refresh-access-token
+			 * We schedule the connection refresh every 55 minutues.
+			 *
+			 * @param int $interval refresh interval
+			 *
+			 * @since 8.6.0
+			 */
+			$interval = apply_filters( 'wc_stripe_connection_refresh_interval', HOUR_IN_SECONDS - 5 * MINUTE_IN_SECONDS );
+
+			// Make sure that all refresh actions are cancelled before scheduling it.
+			$this->unschedule_connection_refresh();
+
+			as_schedule_single_action( time() + $interval, 'wc_stripe_refresh_connection', [], WC_Stripe_Action_Scheduler_Service::GROUP_ID, false, 0 );
+		}
+
+		/**
+		 * Unschedules the App OAuth connection refresh.
+		 *
+		 * @since 8.6.0
+		 */
+		protected function unschedule_connection_refresh() {
+			as_unschedule_all_actions( 'wc_stripe_refresh_connection', [], WC_Stripe_Action_Scheduler_Service::GROUP_ID );
+		}
+
+		/**
+		 * Refreshes the App OAuth access_token via the Woo Connect Server.
+		 *
+		 * @since 8.6.0
+		 */
+		public function refresh_connection() {
+			if ( ! $this->is_connected_via_app_oauth() ) {
+				return;
+			}
+
+			$options       = get_option( self::SETTINGS_OPTION, [] );
+			$mode          = isset( $options['testmode'] ) && 'yes' === $options['testmode'] ? 'test' : 'live';
+			$prefix        = 'test' === $mode ? 'test_' : '';
+			$refresh_token = $options[ $prefix . 'refresh_token' ];
+
+			$retries = get_option( 'wc_stripe_' . $prefix . 'oauth_failed_attempts', 0 ) + 1;
+
+			$response = $this->api->refresh_stripe_app_oauth_keys( $refresh_token, $mode );
+			if ( ! is_wp_error( $response ) ) {
+				$response = $this->save_stripe_keys( $response, 'app', $mode );
+			}
+
+			if ( is_wp_error( $response ) ) {
+				update_option( 'wc_stripe_' . $prefix . 'oauth_failed_attempts', $retries );
+				update_option( 'wc_stripe_' . $prefix . 'oauth_last_failed_at', time() );
+
+				WC_Stripe_Logger::log( 'OAuth connection refresh failed: ' . print_r( $response, true ) ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r
+
+				// If after 10 attempts we are unable to refresh the connection keys, we don't re-schedule anymore,
+				// in this case an error message is show in the account status indicating that the API keys are not
+				// valid and that a reconnection is necessary.
+				if ( $retries < 10 ) {
+					// Re-schedule the connection refresh
+					$this->schedule_connection_refresh();
+				}
+			}
+
+			// save_stripe_keys() schedules a connection_refresh after saving the keys,
+			// we don't need to do it explicitly here.
+		}
 	}
 }