Invalid Refresh Token issue

[tymolls]

Thank you for taking the time to submit an issue with all the details shown below. Our engineering team monitors issues submitted and strives to respond with 1-2 business days.

• PHP version: 7.3
• SDK version: ^3.0

Current behavior

We've begun getting invalid token for the refresh token on our API integration with HelpScout.

The error message specifically is: Client error: POST https://api.helpscout.net/v2/oauth2/token resulted in a 400 Bad Request response: {"error_description":"Invalid refresh_token","error":"invalid_request"}

Everything was working fine, and the app credentials are still valid.

When I tried to replay the error in Rollbar, I got this: Helpscout helpdesk error: Signature mismatch: Expected signature is xmrOl2Rwf66y6NQrdld/JFGMdzw=. tdysaqdApzeCJPo/kaGMFegn2Go= was provided.

We're using the HelpScout PHP package ("helpscout/api": "^3.0") to interact with your API.

This is what the response & error message says:

Client error: `POST https://api.helpscout.net/v2/oauth2/token` resulted in a `400 Bad Request` response:
{"error_description":"Invalid refresh_token","error":"invalid_request"}

We don't log the full error occurrence, just the error message. This seems to be happening for incoming webhook, which is weird, as we should only be using the API for outgoing calls.

We created an App, which helps auto-translate HelpScout conversations in foreign languages. The app can be found here. This then creates a Webhook on the customer's profile that can be found here.

We use the Refresh Token authentication in the HelpScout guide, and this can be found here:

    public function getClient($helpdesk)
    {
        $this->config = config('helpdesk.helpscout');
        $appId = $this->config['appId'];
        $appSecret = $this->config['appSecret'];

        $this->client = ApiClientFactory::createClient([], function (Authenticator $authenticator) use ($helpdesk) {
            $helpdesk->access_token = json_encode($authenticator->getTokens());
            $helpdesk->save();
        });

        $this->client->useRefreshToken($appId, $appSecret, json_decode($helpdesk->access_token)->refresh_token);

        return $helpdesk;
    }

(it's always worked, not sure what has changed recently).

Expected behavior

Refresh token works automatically without any issues.

Steps to reproduce

1. Send incoming web hook to Website
2. Incoming web hook authenticates request, and app.

[miguelrs]

Hey, thanks for reporting this issue. Trying to look at this, I've seen that the links to the screenshots you posted are no longer available. Could you please edit them so I can see what you shared?

[tymolls]

Hey, thanks for reporting this issue. Trying to look at this, I've seen that the links to the screenshots you posted are no longer available. Could you please edit them so I can see what you shared?

@miguelrs - original issue updated.

[miguelrs]

We're closing this issue due to inactivity. We've moved your request to our backlog of tickets, although we can't tell when we will be able to act on it. Please feel free to reopen if needed. Thank you!

[jokull]

I think in this line you used the access token not the refresh token:

$this->client->useRefreshToken($appId, $appSecret, json_decode($helpdesk->access_token)->refresh_token);