omniauth-microsoft_graph icon indicating copy to clipboard operation
omniauth-microsoft_graph copied to clipboard
verified publisher icon synth

Fix domain verification error handling using CallbackError

Open pauldruziak opened this issue 2 months ago • 0 comments

Problem

Users experiencing domain verification failures currently see 500 Internal Server Errors instead of proper authentication failure messages. This creates a poor user experience and makes debugging difficult, as errors appear in exception tracking systems rather than being handled gracefully through OmniAuth's failure callback mechanism.

Solution

Replace the custom DomainVerificationError class with OmniAuth::Strategies::OAuth2::CallbackError to ensure proper error handling.

Key Changes

  • Removes custom DomainVerificationError class (inherited from OmniAuth::Error)
  • Uses OmniAuth::Strategies::OAuth2::CallbackError for domain verification failures
  • Updates tests to expect CallbackError with :domain_verification_failed symbol
  • Changes require statement from omniauth to omniauth-oauth2

Rationale

The omniauth-oauth2 gem's callback_phase only rescues specific exceptions:

rescue ::OAuth2::Error, CallbackError => e
  fail!(:invalid_credentials, e)
end

The previous DomainVerificationError inherited from OmniAuth::Error, which is not in this rescue clause, causing it to bubble up as an unhandled 500 error.

By using CallbackError, the error is:

  • ✅ Caught by the existing rescue clause
  • ✅ Converted to an OmniAuth failure automatically
  • ✅ Redirected to the failure path with a proper error message

Pattern Consistency

This follows the established pattern used by omniauth-google-oauth2 for hosted domain verification, ensuring consistency across the OmniAuth ecosystem.

Error Handling Flow

Before (❌):

Domain verification fails → DomainVerificationError → Not caught → 500 error

After (✅):

Domain verification fails → CallbackError → Caught by rescue → OmniAuth failure callback → User-friendly error

Testing

Updated test in domain_verifier_spec.rb:

  • Expects CallbackError with :domain_verification_failed symbol
  • Verifies error message includes "not a verified domain"
  • Ensures structured error data for proper handling

Compatibility

Backward compatible - Applications using this gem don't need code changes. The error is still caught and handled through OmniAuth's standard failure mechanism.

pauldruziak avatar Oct 16 '25 18:10 pauldruziak