chore: merge master

Author: csuermann

Authorization.ts

@@ -1,4 +1,5 @@
-import Axios, { AxiosResponse } from 'axios'
+import Axios, { AxiosResponse, AxiosError } from 'axios'
+import * as log from 'log'
 
 export interface AccessTokenResponse {
   access_token: string
@@ -54,21 +55,58 @@ export async function fetchAccessAndRefreshToken(
 export async function fetchFreshAccessToken(
   refreshToken: string
 ): Promise<AccessTokenResponse> {
-  const response: AxiosResponse = await Axios.post(
-    'https://api.amazon.com/auth/o2/token',
-    `grant_type=refresh_token&refresh_token=${refreshToken}&client_id=${process.env.ALEXA_CLIENT_ID}&client_secret=${process.env.ALEXA_CLIENT_SECRET}`,
-    {
-      headers: {
-        'Content-Type': 'application/x-www-form-urlencoded',
-      },
-    }
-  )
+  const refreshTokenPrefix = refreshToken?.substring(0, 12) + '...'
+  const clientId = process.env.ALEXA_CLIENT_ID?.substring(0, 20) + '...'
+  
+  try {
+    log.info('Attempting token refresh', {
+      refreshTokenPrefix,
+      clientId,
+      endpoint: 'https://api.amazon.com/auth/o2/token'
+    })
 
-  // {
-  //   "access_token":"Atza|IQEBLjAsAhRmHjNmHpi0U-Dme37rR6CuUpSR...",
-  //   "token_type":"bearer",
-  //   "expires_in":3600,
-  //   "refresh_token":"Atzr|IQEBLzAtAhRxpMJxdwVz2Nn6f2y-tpJX3DeX..."
-  // }
-  return response.data
+    const response: AxiosResponse = await Axios.post(
+      'https://api.amazon.com/auth/o2/token',
+      `grant_type=refresh_token&refresh_token=${refreshToken}&client_id=${process.env.ALEXA_CLIENT_ID}&client_secret=${process.env.ALEXA_CLIENT_SECRET}`,
+      {
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+      }
+    )
+
+    log.info('Token refresh successful', {
+      refreshTokenPrefix,
+      hasNewAccessToken: !!response.data.access_token,
+      hasNewRefreshToken: !!response.data.refresh_token,
+      expiresIn: response.data.expires_in
+    })
+
+    return response.data
+  } catch (error) {
+    const axiosError = error as AxiosError
+    
+    log.error('Token refresh failed', {
+      refreshTokenPrefix,
+      clientId,
+      status: axiosError.response?.status,
+      statusText: axiosError.response?.statusText,
+      errorCode: axiosError.code,
+      errorMessage: axiosError.message,
+      responseData: axiosError.response?.data,
+      headers: axiosError.response?.headers,
+      url: axiosError.config?.url,
+      method: axiosError.config?.method
+    })
+
+    // Re-throw with enhanced error context
+    const enhancedError = new Error(`Token refresh failed: ${axiosError.response?.status} ${axiosError.response?.statusText}`)
+    enhancedError.name = 'TokenRefreshError'
+    ;(enhancedError as any).originalError = error
+    ;(enhancedError as any).refreshTokenPrefix = refreshTokenPrefix
+    ;(enhancedError as any).status = axiosError.response?.status
+    ;(enhancedError as any).responseData = axiosError.response?.data
+    
+    throw enhancedError
+  }
 }

db.ts

@@ -1,5 +1,6 @@
 import * as AWS from 'aws-sdk'
 import dayjs = require('dayjs')
+import * as log from 'log'
 import {
   fetchFreshAccessToken,
   PartialUserRecord,
@@ -168,18 +169,61 @@ export async function getUserRecord(
     const tokenExpiry = dayjs(data.accessTokenExpiry).subtract(15, 'second')
 
     if (tokenExpiry.isBefore(now)) {
-      const newTokens = await fetchFreshAccessToken(data.refreshToken)
-
-      await upsertTokens(
-        {
-          userId,
-          accessToken: newTokens.access_token,
-          refreshToken: newTokens.refresh_token,
-        },
-        newTokens.expires_in
-      )
-
-      data.accessToken = newTokens.access_token
+      log.info('Token expired, attempting refresh', {
+        userId: userId.substring(0, 8) + '...',
+        tokenExpiry: tokenExpiry.toISOString(),
+        currentTime: now.toISOString(),
+        refreshTokenPrefix: data.refreshToken?.substring(0, 12) + '...'
+      })
+
+      try {
+        const newTokens = await fetchFreshAccessToken(data.refreshToken)
+
+        await upsertTokens(
+          {
+            userId,
+            accessToken: newTokens.access_token,
+            refreshToken: newTokens.refresh_token,
+          },
+          newTokens.expires_in
+        )
+
+        data.accessToken = newTokens.access_token
+        
+        log.info('Token refresh and database update successful', {
+          userId: userId.substring(0, 8) + '...',
+          hasNewAccessToken: !!newTokens.access_token,
+          hasNewRefreshToken: !!newTokens.refresh_token,
+          newExpiresIn: newTokens.expires_in
+        })
+      } catch (error) {
+        log.error('Token refresh failed in getUserRecord', {
+          userId: userId.substring(0, 8) + '...',
+          errorName: error.name,
+          errorMessage: error.message,
+          tokenExpiry: tokenExpiry.toISOString(),
+          refreshTokenPrefix: data.refreshToken?.substring(0, 12) + '...',
+          originalError: error.originalError?.message,
+          status: error.status,
+          responseData: error.responseData
+        })
+        
+        // Re-throw with additional context for upstream handlers
+        const contextualError = new Error(`Token refresh failed for user ${userId.substring(0, 8)}...: ${error.message}`)
+        contextualError.name = 'UserTokenRefreshError'
+        ;(contextualError as any).userId = userId
+        ;(contextualError as any).originalError = error
+        ;(contextualError as any).tokenExpiry = tokenExpiry.toISOString()
+        
+        throw contextualError
+      }
+    } else {
+      log.debug('Token still valid, no refresh needed', {
+        userId: userId.substring(0, 8) + '...',
+        tokenExpiry: tokenExpiry.toISOString(),
+        currentTime: now.toISOString(),
+        timeUntilExpiry: tokenExpiry.diff(now, 'seconds') + ' seconds'
+      })
     }
   }
 

handler.ts

@@ -74,16 +74,120 @@ export const skill = async function (event, context) {
     const accessToken = extractAccessTokenFromEvent(event)
     event.profile = await fetchProfile(accessToken)
   } catch (e) {
+    // Enhanced error logging for token-related failures
+    const accessToken = extractAccessTokenFromEvent(event)
+    const tokenPrefix = accessToken?.substring(0, 12) + '...'
+    
+    // Determine the error type and appropriate response
+    let errorType = 'EXPIRED_AUTHORIZATION_CREDENTIAL'
+    let errorMessage = 'invalid token'
+    let shouldDisableSkill = true
+    
+    // Handle ProfileFetchError specifically
+    if (e.name === 'ProfileFetchError') {
+      if (e.isRetryable && !e.isAuthError) {
+        // Network/server errors should not disable the skill
+        errorType = 'INTERNAL_ERROR'
+        errorMessage = 'temporary service unavailable'
+        shouldDisableSkill = false
+        
+        log.warn('NETWORK/SERVER ERROR detected - NOT disabling skill', {
+          directive: event.directive?.header?.name,
+          tokenPrefix,
+          errorCategory: e.errorCategory,
+          status: e.status,
+          isRetryable: e.isRetryable,
+          isAuthError: e.isAuthError,
+          responseData: e.responseData,
+          requestId: context?.awsRequestId
+        })
+      } else if (e.isAuthError) {
+        // Actual auth errors should disable the skill
+        shouldDisableSkill = true
+        
+        log.error('AUTHENTICATION ERROR detected - skill may be disabled', {
+          directive: event.directive?.header?.name,
+          tokenPrefix,
+          errorCategory: e.errorCategory,
+          status: e.status,
+          isAuthError: e.isAuthError,
+          responseData: e.responseData,
+          requestId: context?.awsRequestId
+        })
+      }
+    }
+    
+    log.error('Skill authentication failed', {
+      directive: event.directive?.header?.name,
+      tokenPrefix,
+      errorName: e.name,
+      errorMessage: e.message,
+      errorStack: e.stack,
+      requestId: context?.awsRequestId,
+      userId: event.profile?.user_id || 'unknown',
+      errorType,
+      shouldDisableSkill,
+      // Enhanced classification for ProfileFetchError
+      errorCategory: e.errorCategory || 'unknown',
+      isRetryable: e.isRetryable || false,
+      isAuthError: e.isAuthError || false,
+      // Check if this is a token refresh error
+      isTokenRefreshError: e.name === 'UserTokenRefreshError' || e.name === 'TokenRefreshError',
+      originalTokenError: e.originalError?.message,
+      tokenStatus: e.status,
+      responseData: e.responseData
+    })
+
+    // Log specific patterns that indicate different failure types
+    if (e.name === 'UserTokenRefreshError' || e.name === 'TokenRefreshError') {
+      log.error('TOKEN REFRESH FAILURE detected - potential skill auto-disable cause', {
+        userId: e.userId || 'unknown',
+        refreshTokenPrefix: e.refreshTokenPrefix,
+        tokenExpiry: e.tokenExpiry,
+        httpStatus: e.status,
+        amazonResponse: e.responseData
+      })
+    } else if (e.name === 'ProfileFetchError' && e.errorCategory === 'NETWORK_ERROR') {
+      log.warn('NETWORK ERROR on profile fetch - should NOT cause skill disable', {
+        tokenPrefix,
+        errorCategory: e.errorCategory,
+        errorCode: e.originalError?.code,
+        likelyCase: 'Temporary network/DNS/timeout issue'
+      })
+    } else if (e.name === 'ProfileFetchError' && e.errorCategory === 'SERVER_ERROR') {
+      log.warn('AMAZON API SERVER ERROR - should NOT cause skill disable', {
+        tokenPrefix,
+        status: e.status,
+        errorCategory: e.errorCategory,
+        likelyCase: 'Amazon API temporary downtime/overload'
+      })
+    } else if (e.message?.includes('401') || e.message?.includes('403') || 
+               (e.name === 'ProfileFetchError' && e.isAuthError)) {
+      log.error('HTTP AUTH ERROR detected', {
+        tokenPrefix,
+        httpError: e.message,
+        errorCategory: e.errorCategory || 'unknown',
+        likelyCase: 'User revoked permissions or client credentials changed'
+      })
+    } else if (e.message?.includes('invalid_grant')) {
+      log.error('INVALID_GRANT ERROR detected', {
+        tokenPrefix,
+        likelyCase: 'Refresh token expired, user permissions revoked, or client config changed'
+      })
+    }
+
     const response = createErrorResponse(
       event,
-      'EXPIRED_AUTHORIZATION_CREDENTIAL',
-      'invalid token'
+      errorType,
+      errorMessage
     )
+    
     log.notice(
-      'REQUEST: %j \n EXCEPTION: %o \n RESPONSE: %j',
+      'REQUEST: %j \n EXCEPTION: %o \n RESPONSE: %j \n SKILL_DISABLE_RISK: %s',
       event,
       e,
-      response
+      response,
+      shouldDisableSkill ? 'HIGH' : 'LOW'
     )
     return response
   }

helper.ts

@@ -65,16 +65,97 @@ export function extractAccessTokenFromEvent(event): string {
 }
 
 export async function fetchProfile(accessToken: string) {
-  const response: AxiosResponse = await Axios.get(
-    'https://api.amazon.com/user/profile',
-    {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-      },
+  const tokenPrefix = accessToken?.substring(0, 12) + '...'
+  
+  try {
+    log.debug('Fetching user profile from Amazon', {
+      tokenPrefix,
+      endpoint: 'https://api.amazon.com/user/profile'
+    })
+
+    const response: AxiosResponse = await Axios.get(
+      'https://api.amazon.com/user/profile',
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+        },
+      }
+    )
+
+    log.debug('Profile fetch successful', {
+      tokenPrefix,
+      userId: response.data?.user_id?.substring(0, 8) + '...',
+      email: response.data?.email ? 'present' : 'absent'
+    })
+
+    return response.data
+  } catch (error) {
+    const axiosError = error as any
+    const status = axiosError.response?.status
+    const statusText = axiosError.response?.statusText
+    const responseData = axiosError.response?.data
+    
+    // Categorize the error type
+    let errorCategory = 'UNKNOWN'
+    let isRetryable = false
+    let isAuthError = false
+    
+    if (status) {
+      if (status === 401) {
+        errorCategory = 'INVALID_TOKEN'
+        isAuthError = true
+      } else if (status === 403) {
+        errorCategory = 'FORBIDDEN_TOKEN'  
+        isAuthError = true
+      } else if (status >= 500 && status <= 599) {
+        errorCategory = 'SERVER_ERROR'
+        isRetryable = true
+      } else if (status === 429) {
+        errorCategory = 'RATE_LIMITED'
+        isRetryable = true
+      } else if (status >= 400 && status <= 499) {
+        errorCategory = 'CLIENT_ERROR'
+        isAuthError = true
+      }
+    } else {
+      // Network-level errors (timeouts, DNS, connection refused)
+      if (axiosError.code === 'ECONNREFUSED' || axiosError.code === 'ENOTFOUND' || 
+          axiosError.code === 'ETIMEDOUT' || axiosError.code === 'ECONNRESET') {
+        errorCategory = 'NETWORK_ERROR'
+        isRetryable = true
+      } else {
+        errorCategory = 'CONNECTION_ERROR'
+        isRetryable = true
+      }
     }
-  )
 
-  return response.data
+    log.error('Profile fetch failed', {
+      tokenPrefix,
+      status,
+      statusText,
+      errorCategory,
+      isRetryable,
+      isAuthError,
+      errorCode: axiosError.code,
+      errorMessage: axiosError.message,
+      responseData,
+      url: axiosError.config?.url,
+      timeout: axiosError.config?.timeout
+    })
+
+    // Create enhanced error with classification
+    const enhancedError = new Error(`Profile fetch failed: ${status ? `${status} ${statusText}` : axiosError.message}`)
+    enhancedError.name = 'ProfileFetchError'
+    ;(enhancedError as any).originalError = error
+    ;(enhancedError as any).tokenPrefix = tokenPrefix
+    ;(enhancedError as any).status = status
+    ;(enhancedError as any).errorCategory = errorCategory
+    ;(enhancedError as any).isRetryable = isRetryable
+    ;(enhancedError as any).isAuthError = isAuthError
+    ;(enhancedError as any).responseData = responseData
+    
+    throw enhancedError
+  }
 }
 
 export function createErrorResponse(