Enhances refresh token error handling

Implements improved error handling for expired refresh tokens by introducing specific exception codes.

Updates exception messages and adds tests to ensure proper handling of identity provider exceptions, particularly for cases where refresh tokens expire.

Increases robustness of the authentication process by providing clearer feedback to users when re-authorization is required.

Author: Vítězslav Dvořák

composer.lock

@@ -240,7 +240,29 @@
 
         if ($expiresAt < $expiresSoon) {
             // Refresh the token if it is expired or will expire soon
-            $token->refreshToken(new \SpojeNet\CSas\Auth($token->getApplication()));
+            try {
+                $token->refreshToken(new \SpojeNet\CSas\Auth($token->getApplication()));
+            } catch (\RuntimeException $exception) {
+                if ($exception->getCode() === 24) {
+                    // Refresh token has expired
+                    if (isset($options['json']) || isset($options['j'])) {
+                        echo json_encode([
+                            'error' => 'refresh_token_expired',
+                            'error_description' => _('Refresh token has expired. Please re-authorize the application.'),
+                            'uuid' => $token->getDataValue('uuid'),
+                            'application_id' => $token->getDataValue('application_id')
+                        ], JSON_PRETTY_PRINT);
+                    } else {
+                        echo _('Error: Refresh token has expired. Please re-authorize the application.') . "\n";
+                        echo 'Token UUID: ' . $token->getDataValue('uuid') . "\n";
+                        echo 'Application ID: ' . $token->getDataValue('application_id') . "\n";
+                    }
+                    exit(1);
+                } else {
+                    // Other runtime exception, re-throw it
+                    throw $exception;
+                }
+            }
         }
 
         if (isset($options['json']) || isset($options['j'])) {

libexec/csas-access-token.php

@@ -115,14 +115,21 @@ public function refreshToken(AbstractProvider $provider): AccessToken
         } catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $exception) {
             $errorData = $exception->getResponseBody();
             $errorMessage = $errorData['error_description'] ?? $exception->getMessage();
+            $errorCode = $errorData['error_code'] ?? null;
 
             // Clear the expired refresh token
             $this->setDataValue('refresh_token', null);
             $this->dbSync();
 
             $this->addStatusMessage(sprintf(_('Token refresh failed: %s'), $errorMessage), 'error');
 
-            throw new \RuntimeException(_('Refresh token has expired'), 24, $exception);
+            // Check if this is specifically a refresh token expiration error
+            if ($errorCode === '7109' || strpos($errorMessage, 'expired') !== false) {
+                throw new \RuntimeException(_('Refresh token has expired'), 24, $exception);
+            }
+            
+            // For other OAuth2 errors, throw a different exception
+            throw new \RuntimeException(sprintf(_('OAuth2 error: %s'), $errorMessage), 25, $exception);
         }
     }