Skip to content

Add validation for empty refresh token in refreshShopToken #592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octavebenil wants to merge 2 commits into from
Closed

Add validation for empty refresh token in refreshShopToken #592

octavebenil wants to merge 2 commits into from

Conversation

@octavebenil
Copy link

@octavebenil octavebenil commented Nov 10, 2025
edited
Loading

Fix “Cannot refresh token” in ps_accounts 8.0.4 by preventing empty refresh tokens from being sent and preferring OAuth2 (V7) when the registered version is unknown.

Context

  • Versions:

      - 7.2.2: account linking works.
  - 8.0.4: verification/migration fails.

  • Symptom:

     - POST /v1/shop/token/refresh sent with {"token": ""} → 400 Bad Request “Cannot refresh token”.

  • Root cause:

    - MigrateOrCreateIdentityV8Handler::getTokenV6OrV7('0', ...) takes the V6 path.

- V6 path reads the legacy refresh token from configuration; it’s missing, resulting in an empty token being sent.

- No guard or fallback existed in 8.0.4.

What’s changed

- Prevent HTTP calls with empty refresh tokens.

- Prefer OAuth2 (V7) when registered version is unknown (“0” or empty), fallback to V6 with clear validation.

Technical changes

- AccountsService.php

     - refreshShopToken() :

          - Add early guard for empty refreshToken.

          - Throw AccountsException with error store/empty-refresh-token and a clear message.

    - MigrateOrCreateIdentityV8Handler.php

          - Add use PrestaShop\Module\PsAccounts\Http\Client\Response;.

          - getFirebaseTokenV6() :

                - Validate presence of legacy refresh token in configuration.

                - If missing, throw AccountsException with store/missing-legacy-refresh-token.

        - getTokenV6OrV7() :

               - If version is empty or “0”, try V7 first; on failure, fall back to V6.

              - Keep existing logic for versions >= 7 (V7) and < 7 (V6).

@octavebenil
Verify ident
ca7bd6b
@octavebenil
Add validation for empty refresh token in refreshShopToken
0eefa10 
Added guard clause to handle empty refresh token and throw AccountsException.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 10, 2025

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@hschoenenberger
Copy link
Contributor

hschoenenberger commented Nov 14, 2025

@octavebenil Thanks for your contribution 👍
That's a problem we're going to address and we'll consider your fix.

@hschoenenberger
Copy link
Contributor

hschoenenberger commented Dec 12, 2025

Fixed with #600 , @octavebenil thanks for your work !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hschoenenberger hschoenenberger Awaiting requested review from hschoenenberger

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@octavebenil @hschoenenberger