From 049fd1766eae42f2077c221e02ff08cb44bd90ee Mon Sep 17 00:00:00 2001
From: Mark Hilbush <mark@hilbush.com>
Date: Sun, 15 May 2022 16:03:04 -0400
Subject: [PATCH] [nest] Fix for missing refresh token after reauthorization
 (#12711)

Signed-off-by: Mark Hilbush <mark@hilbush.com>
---
 bundles/org.openhab.binding.nest/README.md                | 8 ++++----
 .../openhab/binding/nest/internal/sdm/api/PubSubAPI.java  | 8 +++++++-
 .../org/openhab/binding/nest/internal/sdm/api/SDMAPI.java | 4 ++++
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/bundles/org.openhab.binding.nest/README.md b/bundles/org.openhab.binding.nest/README.md
index dafb82966e..c4142637d3 100644
--- a/bundles/org.openhab.binding.nest/README.md
+++ b/bundles/org.openhab.binding.nest/README.md
@@ -89,11 +89,11 @@ Finally, an SDM Account Thing can be created to access the SDM project using the
 1. Create an authorization code for the binding:
     1. Replace the **Project ID** and **Client ID** in the URL below with your SDM Project ID and SDM OAuth 2.0 Client ID and open the URL in a new browser tab:
        
-       `https://nestservices.google.com/partnerconnections/<ProjectID>/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=<ClientID>`
+       `https://nestservices.google.com/partnerconnections/<ProjectID>/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&prompt=consent&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=<ClientID>`
        
        For the example values used so far this is:
        
-       `https://nestservices.google.com/partnerconnections/585de72e-968c-435c-b16a-31d1d3f76833/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=1046297811237-3f5sj4ccfubit0fum027ral82jgffsd1.apps.googleusercontent.com`
+       `https://nestservices.google.com/partnerconnections/585de72e-968c-435c-b16a-31d1d3f76833/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&prompt=consent&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=1046297811237-3f5sj4ccfubit0fum027ral82jgffsd1.apps.googleusercontent.com`
     1. Enable all the permissions you want to use with the binding and click "Next" to continue
     1. Login using your Google account when prompted
     1. On the "Google hasn't verified this app" page, click on "Advanced"
@@ -153,11 +153,11 @@ Finally, the existing SDM Account Thing can be updated so it can subscribe to SD
 1. Create an authorization code for the binding:
     1. Replace the **Client ID** in the URL below with your Pub/Sub OAuth 2.0 Client ID and open the URL in a new browser tab:
        
-       `https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=<ClientID>`
+       `https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&prompt=consent&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=<ClientID>`
        
        For the example client this is:
        
-       `https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=1046297811237-lg27h26kln6r1nbg54jpg6nfjg6h4b3n.apps.googleusercontent.com`
+       `https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&prompt=consent&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=1046297811237-lg27h26kln6r1nbg54jpg6nfjg6h4b3n.apps.googleusercontent.com`
     1. Login using your Google account when prompted
     1. On the "Google hasn't verified this app" page, click on "Advanced"
     1. Then click on "Go to ... (advanced)"
diff --git a/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/PubSubAPI.java b/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/PubSubAPI.java
index c93242c206..748315db7a 100644
--- a/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/PubSubAPI.java
+++ b/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/PubSubAPI.java
@@ -79,6 +79,7 @@ public class PubSubAPI {
             }
 
             try {
+                checkAccessTokenValidity();
                 String messages = pullSubscriptionMessages(subscriptionId);
 
                 PubSubPullResponse pullResponse = GSON.fromJson(messages, PubSubPullResponse.class);
@@ -104,7 +105,8 @@ public class PubSubAPI {
                     scheduler.schedule(this, RETRY_TIMEOUT.toNanos(), TimeUnit.NANOSECONDS);
                 }
             } catch (InvalidPubSubAccessTokenException e) {
-                logger.warn("Cannot pull messages for '{}' subscription (access token invalid)", subscriptionId, e);
+                logger.warn("Cannot pull messages for '{}' subscription (access or refresh token invalid)",
+                        subscriptionId, e);
                 forEachListener(listener -> listener.onError(e));
             } catch (Exception e) {
                 logger.warn("Unexpected exception while pulling message for '{}' subscription", subscriptionId, e);
@@ -225,6 +227,10 @@ public class PubSubAPI {
                 throw new InvalidPubSubAccessTokenException(
                         "No Pub/Sub access token. Client may not have been authorized.");
             }
+            if (response.getRefreshToken() == null || response.getRefreshToken().isEmpty()) {
+                throw new InvalidPubSubAccessTokenException(
+                        "No Pub/Sub refresh token. Delete and readd credentials, then reauthorize.");
+            }
             return BEARER + response.getAccessToken();
         } catch (OAuthException | OAuthResponseException e) {
             throw new InvalidPubSubAccessTokenException(
diff --git a/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/SDMAPI.java b/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/SDMAPI.java
index 8ee9494111..c7101a3540 100644
--- a/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/SDMAPI.java
+++ b/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/SDMAPI.java
@@ -136,6 +136,10 @@ public class SDMAPI {
             if (response == null || response.getAccessToken() == null || response.getAccessToken().isEmpty()) {
                 throw new InvalidSDMAccessTokenException("No SDM access token. Client may not have been authorized.");
             }
+            if (response.getRefreshToken() == null || response.getRefreshToken().isEmpty()) {
+                throw new InvalidSDMAccessTokenException(
+                        "No SDM refresh token. Delete and readd credentials, then reauthorize.");
+            }
             return BEARER + response.getAccessToken();
         } catch (OAuthException | OAuthResponseException e) {
             throw new InvalidSDMAccessTokenException(
-- 
2.47.3