Revoking authorization

[KamilaHasanbega]

Revoking authorization in Gmail while the e2email app is working breaks the app, as it shows the popup requiring only 2 authorizations out of 4 it should require, and therefore becomes unable to proceed to the next pages.

[koto]

This initially looks like the scope in chrome.identity.getAuthToken() is provided dynamically instead of leaving it empty which would default to scopes in app manifest.

Do you have better reproduction steps, Kamila, so we're sure the bug is fixed once the code changes?

[KamilaHasanbega]

Note: Revoking authorizations while in the threads does not request new authorizations, instead it just returns 401 and does not show the previous emails.

Possible solutions: Showing to the user that the user seems to have revoked the rights, and making it possible for the user to sign out at this point and by doing so revoking the token ( @kbsriram please let me know what you think about this case).

[kbsriram]

This would be a nice to fix bug, though perhaps developers might run into this more often than users. I'll mark as help wanted for now and leave it open.

[koto]

Some of the scope confusion can be easily fixed by disallowing scecifying scopes dynamically - i've tested it and such approach works. Whichever token we are given, it has all the neccessary scopes declared in the manifest.

But what causes error is that chrome.identity.getAuthToken caches tokens, and serves an invalid one after the authorization was manually revoked.

The proposed solution is to try the request and delete the token if possible. http://stackoverflow.com/questions/19929310/how-do-i-detect-an-invalid-auth-token-from-chrome-identity-getauthtoken (we could also use the tokeninfo endpoint to validate one: https://www.googleapis.com/oauth2/v1/tokeninfo). Since everything is done in a Promise, this should be transparent for users and perhaps even that token validation status can be cached for the application lifetime in AuthService.