fix: Improve OAuth token refresh error handling and state management

andris9 · andris9 · commit 5be242bd5392 · 2025-11-21T17:17:20.000+02:00
Enhanced error handling for OAuth token refresh failures across all email
clients (Gmail, Outlook, IMAP) with better state management and notification
controls.
diff --git a/lib/email-client/gmail-client.js b/lib/email-client/gmail-client.js
@@ -295,6 +295,9 @@ class GmailClient extends BaseClient {
     async init(opts) {
         opts = opts || {};
 
+        this.state = 'connecting';
+        await this.setStateVal();
+
         await this.getAccount();
         await this.getClient(true);
 
@@ -349,10 +352,13 @@ class GmailClient extends BaseClient {
 
             err.authenticationFailed = true;
 
-            await this.notify(false, AUTH_ERROR_NOTIFY, {
-                response: err.oauthRequest?.response?.error?.message || err.response,
-                serverResponseCode: 'ApiRequestError'
-            });
+            if (!err.errorNotified) {
+                err.errorNotified = true;
+                await this.notify(false, AUTH_ERROR_NOTIFY, {
+                    response: err.oauthRequest?.response?.error?.message || err.response,
+                    serverResponseCode: 'ApiRequestError'
+                });
+            }
 
             throw err;
         }
@@ -1809,7 +1815,34 @@ class GmailClient extends BaseClient {
     }
 
     async getToken() {
-        const tokenData = await this.accountObject.getActiveAccessTokenData();
+        let tokenData;
+        try {
+            tokenData = await this.accountObject.getActiveAccessTokenData();
+            if (!['init', 'connecting', 'connected'].includes(this.state)) {
+                // We're in an error state (authenticationError, disconnected, etc.)
+                // But we just got a valid token, so we've recovered
+                this.state = 'connected';
+                await this.setStateVal();
+            }
+        } catch (E) {
+            if (E.code === 'ETokenRefresh') {
+                // treat as authentication failure
+                this.state = 'authenticationError';
+                await this.setStateVal();
+
+                E.authenticationFailed = true;
+
+                if (!E.errorNotified) {
+                    E.errorNotified = true;
+                    await this.notify(false, AUTH_ERROR_NOTIFY, {
+                        response: E.oauthRequest?.response?.error?.message || E.response,
+                        serverResponseCode: 'TokenGenerationError'
+                    });
+                }
+            }
+
+            throw E;
+        }
         return tokenData.accessToken;
     }
 
diff --git a/lib/email-client/imap-client.js b/lib/email-client/imap-client.js
@@ -666,6 +666,9 @@ class IMAPClient extends BaseClient {
             return false;
         }
 
+        this.state = 'connecting';
+        await this.setStateVal();
+
         let imapClient = this.imapClient;
 
         let accountData = await this.accountObject.loadAccountData();
@@ -940,7 +943,6 @@ class IMAPClient extends BaseClient {
 
         // Update state to connected
         this.state = 'connected';
-
         await this.setStateVal();
 
         // Store IMAP server capabilities for reference
diff --git a/lib/email-client/outlook-client.js b/lib/email-client/outlook-client.js
@@ -165,6 +165,9 @@ class OutlookClient extends BaseClient {
      * Sets up OAuth2 authentication, validates access, and starts background processes
      */
     async init() {
+        this.state = 'connecting';
+        await this.setStateVal();
+
         await this.getAccount();
         await this.prepareDelegatedAccount();
         await this.getClient(true);
@@ -199,10 +202,13 @@ class OutlookClient extends BaseClient {
 
             err.authenticationFailed = true;
 
-            await this.notify(false, AUTH_ERROR_NOTIFY, {
-                response: err.oauthRequest?.response?.error?.message || err.response,
-                serverResponseCode: 'ApiRequestError'
-            });
+            if (!err.errorNotified) {
+                err.errorNotified = true;
+                await this.notify(false, AUTH_ERROR_NOTIFY, {
+                    response: err.oauthRequest?.response?.error?.message || err.response,
+                    serverResponseCode: 'ApiRequestError'
+                });
+            }
 
             throw err;
         }
@@ -2392,7 +2398,35 @@ class OutlookClient extends BaseClient {
      * Get OAuth2 access token from account or delegated account
      */
     async getToken() {
-        const tokenData = await (this.delegatedAccountObject || this.accountObject).getActiveAccessTokenData();
+        let tokenData;
+        try {
+            tokenData = await (this.delegatedAccountObject || this.accountObject).getActiveAccessTokenData();
+            if (!['init', 'connecting', 'connected'].includes(this.state)) {
+                // We're in an error state (authenticationError, disconnected, etc.)
+                // But we just got a valid token, so we've recovered
+                this.state = 'connected';
+                await this.setStateVal();
+            }
+        } catch (E) {
+            if (E.code === 'ETokenRefresh') {
+                // treat as authentication failure
+                this.state = 'authenticationError';
+                await this.setStateVal();
+
+                E.authenticationFailed = true;
+
+                if (!E.errorNotified) {
+                    E.errorNotified = true;
+                    await this.notify(false, AUTH_ERROR_NOTIFY, {
+                        response: E.oauthRequest?.response?.error?.message || E.response,
+                        serverResponseCode: 'TokenGenerationError'
+                    });
+                }
+            }
+
+            throw E;
+        }
+
         return tokenData.accessToken;
     }
 
diff --git a/lib/oauth/gmail.js b/lib/oauth/gmail.js
@@ -309,6 +309,8 @@ class GmailOauth {
 
         if (!res.ok) {
             let err = new Error('Token request failed');
+            err.code = 'ETokenRefresh';
+
             err.statusCode = res.status;
             err.tokenRequest = {
                 url: requestUrl,
@@ -420,6 +422,8 @@ class GmailOauth {
 
         if (!res.ok) {
             let err = new Error('Token request failed');
+            err.code = 'ETokenRefresh';
+
             err.statusCode = res.status;
             err.tokenRequest = {
                 url: requestUrl,
diff --git a/lib/oauth/mail-ru.js b/lib/oauth/mail-ru.js
@@ -140,6 +140,8 @@ class MailRuOauth {
 
         if (!res.ok) {
             let err = new Error('Token request failed');
+            err.code = 'ETokenRefresh';
+
             err.tokenRequest = {
                 url: requestUrl,
                 method,
@@ -221,6 +223,8 @@ class MailRuOauth {
 
         if (!res.ok) {
             let err = new Error('Token request failed');
+            err.code = 'ETokenRefresh';
+
             err.tokenRequest = {
                 url: requestUrl,
                 method,
diff --git a/lib/oauth/outlook.js b/lib/oauth/outlook.js
@@ -289,6 +289,8 @@ class OutlookOauth {
 
         if (!res.ok) {
             let err = new Error('Token request failed');
+            err.code = 'ETokenRefresh';
+
             err.statusCode = res.status;
             err.tokenRequest = {
                 url: requestUrl,
@@ -382,6 +384,8 @@ class OutlookOauth {
 
         if (!res.ok) {
             let err = new Error('Token request failed');
+            err.code = 'ETokenRefresh';
+
             err.statusCode = res.status;
             err.tokenRequest = {
                 url: requestUrl,
diff --git a/lib/tools.js b/lib/tools.js
@@ -2110,7 +2110,6 @@ C8MNYeCjyQjdvxim
 aZBE0lOjBe4XuK5E
 SJVPHpfUX3kpFpLi
 J5hGmNpIvL7cc4Jn
-5MisnkMNa2gQJQ1U
 3arFOanxm/RO8U5c
 VNRO9yqTV90pZSsm
 fvZjf0oEWxQhZR1+
diff --git a/views/accounts/account.hbs b/views/accounts/account.hbs
@@ -243,7 +243,8 @@
             <dd class="col-sm-9">
                 {{#if account.isApi}}
                 {{#if account.sendOnly}}
-                API <span class="badge badge-info" style="cursor:default;" data-toggle="popover" data-trigger="hover" data-content="This account can only send emails. It does not have read access to the mailbox.">Send-only</span>
+                API <span class="badge badge-info" style="cursor:default;" data-toggle="popover" data-trigger="hover"
+                    data-content="This account can only send emails. It does not have read access to the mailbox.">Send-only</span>
                 {{else}}
                 API
                 {{/if}}
@@ -404,11 +405,12 @@
     <div class="card-body">
 
         {{#if account.lastErrorState}}
+        {{#if account.lastErrorState.description}}
+        <div class="alert alert-danger">{{account.lastErrorState.description}}</div>
+        {{/if}}
         <dl class="row">
-            {{#if account.lastErrorState.description}}
-            <dt class="col-sm-3">Error</dt>
-            <dd class="col-sm-9">{{account.lastErrorState.description}}</dd>
-            {{/if}}
+
+
 
             {{#if account.lastErrorState.response}}
             <dt class="col-sm-3">IMAP response</dt>
