From 39d0f1de98310fb351641b0347610cf4dc036b33 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Mon, 30 Dec 2019 18:23:45 -0500
Subject: [PATCH 1/2] Add logging in viewOauthCallback()

Ref T705
---
 oauth.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/oauth.go b/oauth.go
index d918f7f..98e0d43 100644
--- a/oauth.go
+++ b/oauth.go
@@ -113,12 +113,14 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 
 	err := h.DB.ValidateOAuthState(ctx, state)
 	if err != nil {
+		log.Error("Unable to ValidateOAuthState: %s", err)
 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
 	}
 
 	tokenResponse, err := h.exchangeOauthCode(ctx, code)
 	if err != nil {
+		log.Error("Unable to exchangeOauthCode: %s", err)
 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
 	}
@@ -127,12 +129,14 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 	// it really really works.
 	tokenInfo, err := h.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
 	if err != nil {
+		log.Error("Unable to inspectOauthAccessToken: %s", err)
 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
 	}
 
 	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)
 	if err != nil {
+		log.Error("Unable to GetIDForRemoteUser: %s", err)
 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
 	}

From 6bcc4cfa46b681f3d1341e4166ac38ae91d6068b Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Mon, 30 Dec 2019 18:25:24 -0500
Subject: [PATCH 2/2] Check for error response in code exchange

This checks to see if we get a response with a populated `error` field
in exchangeOauthCode(). If so, we return that error message as an error,
to ensure the callback logic doesn't continue with a bad response.

Ref T705
---
 oauth.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/oauth.go b/oauth.go
index 98e0d43..0042433 100644
--- a/oauth.go
+++ b/oauth.go
@@ -25,6 +25,7 @@ type TokenResponse struct {
 	ExpiresIn    int    `json:"expires_in"`
 	RefreshToken string `json:"refresh_token"`
 	TokenType    string `json:"token_type"`
+	Error        string `json:"error"`
 }
 
 // InspectResponse contains data returned when an access token is inspected.
@@ -224,6 +225,11 @@ func (h oauthHandler) exchangeOauthCode(ctx context.Context, code string) (*Toke
 	if err != nil {
 		return nil, err
 	}
+
+	// Check the response for an error message, and return it if there is one.
+	if tokenResponse.Error != "" {
+		return nil, fmt.Errorf(tokenResponse.Error)
+	}
 	return &tokenResponse, nil
 }