From 9bfd9e75bdac26b1f091dd20b8dd80ddba934ec0 Mon Sep 17 00:00:00 2001
From: aaronbauman <aaronbauman@384578.no-reply.drupal.org>
Date: Thu, 11 Mar 2021 13:23:06 -0500
Subject: [PATCH] Issue #3191597 by AaronBauman, VladimirAus: POST
 https://login.salesforce.com/id/...` resulted in a `403 Forbidden` response:
 Bad_OAuth_Token

---
 src/Form/SalesforceAuthForm.php          |  2 +-
 src/SalesforceAuthProviderPluginBase.php | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/Form/SalesforceAuthForm.php b/src/Form/SalesforceAuthForm.php
index 0a1834ac..4521163e 100644
--- a/src/Form/SalesforceAuthForm.php
+++ b/src/Form/SalesforceAuthForm.php
@@ -141,7 +141,7 @@ class SalesforceAuthForm extends EntityForm {
     $this->entity->getPlugin()->submitConfigurationform($form, $form_state);
     // If redirect is not already set, and we have no errors, send user back to
     // the AuthConfig listing page.
-    if (!$form_state->getErrors() && !$form_state->getRedirect()) {
+    if (!$form_state->getErrors() && !$form_state->getResponse() && !$form_state->getRedirect()) {
       $form_state->setRedirectUrl($this->entity->toUrl('collection'));
     }
   }
diff --git a/src/SalesforceAuthProviderPluginBase.php b/src/SalesforceAuthProviderPluginBase.php
index c24119db..be042046 100644
--- a/src/SalesforceAuthProviderPluginBase.php
+++ b/src/SalesforceAuthProviderPluginBase.php
@@ -5,6 +5,7 @@ namespace Drupal\salesforce;
 use Drupal\Core\DependencyInjection\DependencySerializationTrait;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Messenger\MessengerTrait;
+use Drupal\Core\Routing\TrustedRedirectResponse;
 use Drupal\Core\StringTranslation\StringTranslationTrait;
 use Drupal\salesforce\Storage\SalesforceAuthTokenStorageInterface;
 use OAuth\Common\Http\Client\ClientInterface;
@@ -171,6 +172,13 @@ abstract class SalesforceAuthProviderPluginBase extends Salesforce implements Sa
    * {@inheritdoc}
    */
   public function save(array $form, FormStateInterface $form_state) {
+    if ($form_state->getResponse() instanceof TrustedRedirectResponse) {
+      // If we're redirecting off-site, do not proceed with save operation.
+      // We'll finish saving form input when we complete the OAuth handshake
+      // from Salesforce.
+      return FALSE;
+    }
+
     // Initialize identity if token is available.
     if (!$this->hasAccessToken()) {
       return TRUE;
@@ -181,7 +189,14 @@ abstract class SalesforceAuthProviderPluginBase extends Salesforce implements Sa
       'Content-type' => 'application/json',
     ];
     $data = $token->getExtraParams();
-    $response = $this->httpClient->retrieveResponse(new Uri($data['id']), [], $headers);
+    try {
+      $response = $this->httpClient->retrieveResponse(new Uri($data['id']), [], $headers);
+    }
+    catch (\Exception $e) {
+      $this->messenger()->addError($e->getMessage());
+      $form_state->disableRedirect();
+      return FALSE;
+    }
     $identity = $this->parseIdentityResponse($response);
     $this->storage->storeIdentity($this->service(), $identity);
     return TRUE;
-- 
GitLab