Force user re-authorization for revoked tokens

It's not entirely clear if this is caused by a new condition, the access is revoked or the error message that canvas emits has change it's wording. Logging this situation with the error message to keep track of how often we see them in the logs.
hypothesis · Nov 21, 2024 · e503e5b · e503e5b
1 parent 9393b2f
commit e503e5b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/lms/services/exceptions.py b/lms/services/exceptions.py
@@ -1,5 +1,9 @@
+import logging
+
 from lms.models.oauth2_token import Service
 
+log = logging.getLogger(__name__)
+
 
 class JWTError(Exception):
     """A problem with a JWT."""
@@ -215,7 +219,10 @@ def raise_from(cls, cause, request, response, validation_errors=None):
 
         error_description = response_json.get("error_description", "")
 
-        if {"message": "Invalid access token."} in errors:
+        if {"message": "Invalid access token."} in errors or {
+            "message": "Revoked access token."
+        } in errors:
+            log.info("Canvas token error, forcing re-authorization. %s", errors)
             raise OAuth2TokenError(refreshable=True, **kwargs) from cause
 
         if error_description == "refresh_token not found":

diff --git a/tests/unit/lms/services/exceptions_test.py b/tests/unit/lms/services/exceptions_test.py
@@ -186,6 +186,12 @@ class TestCanvasAPIError:
                 json.dumps({"errors": [{"message": "Invalid access token."}]}),
                 OAuth2TokenError,
             ),
+            # A 401 Unauthorized response from Canvas, revoked token
+            (
+                401,
+                json.dumps({"errors": [{"message": "Revoked access token."}]}),
+                OAuth2TokenError,
+            ),
             # A 401 Unauthorized response from Canvas, because our access token had
             # insufficient scopes;
             (