Bug #94479 for Net-OAuth2: The content length limit for error messages is too short

Sun Apr 06 11:13:18 2014 icestar [...] inbox.ru - Ticket created

Subject:

The content length limit for error messages is too short

Hi, In the params_from_response() subroutine you have this limitation for the response content length: substr($content, 200) = '...' if length $content > 200; I've discovered that it's too short for failed get_access_token call in case of Facebook for example. Here is what I get in my log: "failed oauth call access token: received error: 400 Bad Request {"error":{"message":"Code was invalid or expired. Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook ha..." You also don't try to decode_json content when the response status is not 200 and apparently some OAuth2 providers set it as being not successful and pass some meaningful error description in JSON format.

Sun Apr 06 17:20:38 2014 secretaris [...] nluug.nl - Correspondence added

Subject:	Re: [rt.cpan.org #94479] The content length limit for error messages is too short
Date:	Sun, 6 Apr 2014 23:20:20 +0200
To:	Dmitry Bigunyak via RT <bug-Net-OAuth2 [...] rt.cpan.org>
From:	Mark Overmeer <secretaris [...] nluug.nl>

* Dmitry Bigunyak via RT (bug-Net-OAuth2@rt.cpan.org) [140406 15:13]: Show quoted text

> Sun Apr 06 11:13:18 2014: Request 94479 was acted upon. > Transaction: Ticket created by Alien > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=94479 > > > In the params_from_response() subroutine you have this limitation for > the response content length: substr($content, 200) = '...' if length > $content > 200; > > I've discovered that it's too short for failed get_access_token call > in case of Facebook for example. Here is what I get in my log:

Why too short? The important part of the error message is shown. What do you expect to read in the >200 chars? The abbreviation is on purpose: I have not yet seen any useful long message. Show quoted text

> You also don't try to decode_json content when the response status > is not 200 and apparently some OAuth2 providers set it as being not > successful and pass some meaningful error description in JSON format.

The routine is left via an exception, which means that there is no easy way to pass back a value. But that's a cowardous answer. In reality, the possible answer will probably never be different than "no permission". -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net

Sun Apr 06 17:20:38 2014 The RT System itself - Status changed from 'new' to 'open'

Tue Apr 08 09:43:54 2014 icestar [...] inbox.ru - Correspondence added

From:

icestar [...] inbox.ru

Well, I'd agree with you that for this error message there is no much sense to print a long text. But I still think it might be important to get the original response JSON object which you get from OAuth2 provider. Based on the information in the response as error code for example you might decide to do different things in your code. Another place in your code where you swallow the original response is in update_access_token() procedure. If you don't get a new access token you just bail out with an error. And again, it's important to know what exactly happened there. It might be that the refresh token which is used has been invalidated, Google sends "invalid_grant" error in this case, and I need to know that to request it again.

Wed Jun 17 04:27:03 2015 MARKOV [...] cpan.org - Correspondence added

will not change

Wed Jun 17 04:27:05 2015 MARKOV [...] cpan.org - Status changed from 'open' to 'resolved'