fix: ebay oauth

Author: Leoglme

api/EBAY.md

@@ -20,14 +20,6 @@ In the developer portal, configure OAuth:
 
 **Important:** no mismatch in trailing slash, `http` vs `https`, or host (`localhost` vs `127.0.0.1`) between the eBay portal, `EBAY_REDIRECT_URI`, and the URL actually opened in the browser.
 
-### Local dev / desktop (Tauri) — “j’ai l’impression de passer sur une vieille version”
-
-After you approve eBay, **the browser always lands on `EBAY_REDIRECT_URI`**, not on whatever tab you started from.
-
-If `EBAY_REDIRECT_URI` points to **production** (e.g. `https://goupixdex.example/settings/marketplaces`) but you started OAuth from **`http://localhost:3000`** or a **Tauri dev** window, you will be redirected to **that production URL**. You then load the **deployed** front-end: no Nuxt devtools, no floating “Redémarrer workers / Sync DB” (those only exist when `import.meta.dev` is true), and the UI may lag behind your local branch.
-
-**Fix:** for local work, register and set `EBAY_REDIRECT_URI` to the **same origin** as the app you are running (e.g. `http://localhost:3000/settings/marketplaces` or your Tauri dev URL if eBay allows it). Use a separate eBay keyset/sandbox RuName if needed.
-
 ## 3. Scopes used by GoupixDex
 
 The API requests these scopes (already set in the backend):
@@ -73,7 +65,6 @@ Fulfillment shipping options (multiple domestic rates, international, handling t
 
 ## 8. Quick troubleshooting
 
-- **Après « Se connecter à eBay », l’app ressemble à une vieille version / plus d’outils dev** : eBay vous renvoie toujours vers `EBAY_REDIRECT_URI`. Si cette URL est la **production** alors que vous étiez en **localhost** ou Tauri dev, vous chargez le site déployé (build sans mode dev). Alignez `EBAY_REDIRECT_URI` + RuName eBay sur l’origine où vous travaillez — voir §2 ci-dessus.
 - **Token exchange error**: `redirect_uri` does not match what is registered at eBay, or `code` already used / expired (codes are single-use and short-lived).
 - **“User is not eligible for Business Policy”** (logs: error 20403 on `fulfillment_policy`): the account must be enrolled in **business policies**. The API calls [`optInToProgram`](https://developer.ebay.com/api-docs/sell/account/resources/program/methods/optInToProgram) with `SELLING_POLICY_MANAGEMENT` before loading policies; eBay can take **up to ~24 h** to activate — retry later or check with `getOptedInPrograms`.
 - **Publishing error**: wrong category, policies incompatible with the marketplace, or **condition descriptors** required for some card categories — see API logs (`ebay_body`).

api/routes/ebay_route.py

@@ -3,9 +3,12 @@
 from __future__ import annotations
 
 import datetime as dt
+import logging
 from typing import Annotated, Any
 from urllib.parse import unquote
 
+logger = logging.getLogger(__name__)
+
 from fastapi import APIRouter, Depends, HTTPException, Query, status
 from pydantic import BaseModel, Field
 from sqlalchemy.orm import Session
@@ -83,18 +86,16 @@ def ebay_authorize_url(
     force_login: Annotated[bool, Query()] = False,
 ) -> dict[str, str]:
     """Build the browser URL for eBay consent (User must open it)."""
-    app = get_settings()
     try:
-        url = build_authorization_url(state=state, force_login=force_login, app=app)
+        url = build_authorization_url(state=state, force_login=force_login)
     except RuntimeError as exc:
         if str(exc) == "ebay_oauth_not_configured":
             raise HTTPException(
                 status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
                 detail="eBay OAuth is not configured on the server (EBAY_CLIENT_ID, EBAY_CLIENT_SECRET, EBAY_REDIRECT_URI).",
             ) from exc
         raise HTTPException(status_code=500, detail=str(exc)) from exc
-    redirect = (app.ebay_redirect_uri or "").strip()
-    return {"authorization_url": url, "state": state, "redirect_uri": redirect}
+    return {"authorization_url": url, "state": state}
 
 
 @router.post("/oauth/exchange", status_code=status.HTTP_200_OK)
@@ -135,12 +136,36 @@ async def ebay_oauth_exchange(
     db.add(user)
     db.commit()
     db.refresh(user)
-    scope = token_scope_string(data)
+
+    # Auth-code exchange often omits ``scope``; refresh with all consented scopes so the access
+    # token includes sell.fulfillment (required for getOrders / shipping labels).
+    scope_data = data
+    rt_plain = decrypt_ebay_token(user.ebay_refresh_token)
+    if rt_plain:
+        try:
+            scope_data = await refresh_user_access_token(rt_plain, request_all_scopes=True)
+            access = scope_data.get("access_token")
+            if access and isinstance(access, str):
+                user.ebay_access_token = store_ebay_token(access)
+                expires_in = int(scope_data.get("expires_in", 7200))
+                user.ebay_access_expires_at = now + dt.timedelta(seconds=expires_in)
+            if scope_data.get("refresh_token"):
+                user.ebay_refresh_token = store_ebay_token(str(scope_data["refresh_token"]))
+            db.add(user)
+            db.commit()
+            db.refresh(user)
+        except Exception as exc:
+            logger.warning("eBay post-exchange refresh failed (scopes may be incomplete): %s", exc)
+
+    scope = token_scope_string(scope_data)
+    has_fulfillment = token_has_fulfillment_scope(scope_data) or (
+        not scope and bool(decrypt_ebay_token(user.ebay_refresh_token))
+    )
     return {
         "ok": True,
         "ebay_connected": bool(decrypt_ebay_token(user.ebay_refresh_token)),
         "oauth_scope": scope,
-        "has_fulfillment_scope": token_has_fulfillment_scope(data),
+        "has_fulfillment_scope": has_fulfillment,
     }
 
 

api/services/ebay_publish_service.py

@@ -23,6 +23,7 @@
     _api_base_url,
     refresh_user_access_token,
     token_has_fulfillment_scope,
+    token_scope_string,
 )
 from services.ebay_trading_card_grading import (
     EBAY_CONDITION_GRADED,
@@ -262,7 +263,8 @@ async def ensure_ebay_access_token(
                 "on your production app keyset (developer.ebay.com)."
             ) from exc
         raise
-    if require_fulfillment_scope and not token_has_fulfillment_scope(data):
+    scope_str = token_scope_string(data)
+    if require_fulfillment_scope and scope_str and not token_has_fulfillment_scope(data):
         raise RuntimeError(
             "ebay_fulfillment_scope_missing: le token OAuth ne contient pas sell.fulfillment. "
             "Activez ce scope sur developer.ebay.com (clés production), révoquez l'app sur eBay.fr, "

web/app/layouts/default.vue

@@ -75,11 +75,7 @@ const toast = useToast()
 const workersRestarting: Ref<boolean> = ref(false)
 const dbSyncLoading: Ref<boolean> = ref(false)
 
-const showDevWorkerControls = computed(
-  () =>
-    // Production / site déployé : import.meta.dev est false → pas de panneau (ex. retour OAuth eBay vers EBAY_REDIRECT_URI prod).
-    import.meta.dev && Boolean(isDesktopApp.value),
-)
+const showDevWorkerControls = computed(() => import.meta.dev && Boolean(isDesktopApp.value))
 
 async function onRestartWorkers(): Promise<void> {
   workersRestarting.value = true

web/app/pages/settings/marketplaces.vue

@@ -242,60 +242,17 @@ async function startEbayOAuth(): Promise<void> {
     sessionStorage.setItem('ebay_oauth_state', state)
   }
   try {
-    const { data } = await $api.get<{
-      authorization_url: string
-      redirect_uri?: string
-    }>('/ebay/oauth/authorize-url', {
+    const { data } = await $api.get<{ authorization_url: string }>('/ebay/oauth/authorize-url', {
       params: { state, force_login: true },
     })
     if (import.meta.client) {
-      const expected = normalizeOAuthCallbackUrl(`${window.location.origin}/settings/marketplaces`)
-      const configured = normalizeOAuthCallbackUrl(data.redirect_uri || '')
-      if (configured && configured !== expected) {
-        const ok = window.confirm(
-          [
-            "L'URL de retour eBay configurée sur le serveur ne correspond pas à cette fenêtre.",
-            '',
-            `Serveur (EBAY_REDIRECT_URI) :\n${data.redirect_uri}`,
-            '',
-            `Cette app :\n${window.location.origin}/settings/marketplaces`,
-            '',
-            'Après validation chez eBay, vous serez renvoyé vers la première URL — souvent la production : autre interface, pas d’outils de développement (workers / sync DB).',
-            '',
-            'Pour le dev local : alignez EBAY_REDIRECT_URI et l’« URL acceptée » eBay sur la même origine que cette page (voir api/EBAY.md).',
-            '',
-            'Continuer quand même ?',
-          ].join('\n'),
-        )
-        if (!ok) {
-          return
-        }
-      }
       window.location.href = data.authorization_url
     }
   } catch (e) {
     toast.add({ title: 'OAuth indisponible', description: apiErrorMessage(e), color: 'error' })
   }
 }
 
-/** Same origin + path for comparing server redirect_uri with this app. */
-function normalizeOAuthCallbackUrl(raw: string): string {
-  const t = raw.trim()
-  if (!t) {
-    return ''
-  }
-  try {
-    const u = new URL(t)
-    let path = u.pathname
-    while (path.length > 1 && path.endsWith('/')) {
-      path = path.slice(0, -1)
-    }
-    return `${u.origin}${path === '' ? '/' : path}`.toLowerCase()
-  } catch {
-    return t.replace(/\/+$/, '').toLowerCase()
-  }
-}
-
 async function submitOnboarding(): Promise<void> {
   if (!phone.value.trim() || !addressLine1.value.trim() || !city.value.trim() || !postalCode.value.trim()) {
     toast.add({