Previously, when an API request was made using an expired or invalid access token, a Faraday::UnauthorizedError was raised and the request failed.
Recently we've seen a bunch of these exceptions happening due to some other problems in editor-standalone and/or in the editor-ui web component - see this issue for more details.
Failing hard with an exception like this seems a bit over the top when the user is trying to view a public project for which they don't need to be logged-in. And it seems as if User.from_token might have been expectingHydraPublicApiClient.fetch_oauth_user to return nil when the token was invalid when in fact it returns a 401 Unauthorized HTTP status code which results in a Faraday::UnauthorizedError exception being raised.
This commit rescues the Faraday::UnauthorizedError exception, captures the exception in Sentry in case we want to know about it, but then returns nil. This means that if the user is trying to carry out an action that does not require them to be logged-in, they can still do so despite their access token not being valid.
Previously, when an API request was made using an expired or invalid access token, a
Faraday::UnauthorizedError
was raised and the request failed.Recently we've seen a bunch of these exceptions happening due to some other problems in editor-standalone and/or in the editor-ui web component - see this issue for more details.
Failing hard with an exception like this seems a bit over the top when the user is trying to view a public project for which they don't need to be logged-in. And it seems as if
User.from_token
might have been expectingHydraPublicApiClient.fetch_oauth_user
to returnnil
when the token was invalid when in fact it returns a401 Unauthorized
HTTP status code which results in aFaraday::UnauthorizedError
exception being raised.This commit rescues the
Faraday::UnauthorizedError
exception, captures the exception in Sentry in case we want to know about it, but then returnsnil
. This means that if the user is trying to carry out an action that does not require them to be logged-in, they can still do so despite their access token not being valid.