From 9c6c01d619d9e0859b5635dff18a7b292bf87fbe Mon Sep 17 00:00:00 2001
From: Paul Huliganga <paje0101@gmail.com>
Date: Thu, 16 Apr 2026 10:10:12 -0400
Subject: [PATCH] fix: correct Adobe Sign token refresh endpoint and add auth
 error handling

Adobe Sign uses a non-standard separate endpoint for refresh:
/oauth/v2/refresh (not /oauth/v2/token). Using the wrong endpoint
returned a misleading "Invalid grant_type refresh_token" error.

Also:
- Remove redirect_uri from refresh requests (not required)
- Add clear RuntimeError message directing user to re-authenticate
- Validate access_token is non-empty before saving in adobe_auth.py
- Log token lengths and exchange response keys on successful auth

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/adobe_api.py | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/adobe_api.py b/src/adobe_api.py
index e649af5..6f1d230 100644
--- a/src/adobe_api.py
+++ b/src/adobe_api.py
@@ -5,8 +5,8 @@ from dotenv import load_dotenv, set_key
 load_dotenv()
 
 SHARD = "eu2"
-TOKEN_URL = f"https://api.{SHARD}.adobesign.com/oauth/v2/token"
-REDIRECT_URI = "https://localhost:8080/callback"
+TOKEN_URL = f"https://api.{SHARD}.adobesign.com/oauth/v2/token"    # initial auth code exchange
+REFRESH_URL = f"https://api.{SHARD}.adobesign.com/oauth/v2/refresh"  # token refresh (non-standard separate endpoint)
 ENV_FILE = os.path.join(os.path.dirname(__file__), "..", ".env")
 
 
@@ -16,21 +16,22 @@ def _refresh_access_token():
     refresh_token = os.getenv("ADOBE_REFRESH_TOKEN")
 
     if not all([client_id, client_secret, refresh_token]):
-        raise RuntimeError("Missing credentials for token refresh. Run src/auth_adobe.py first.")
+        raise RuntimeError("Missing credentials for token refresh. Run src/adobe_auth.py first.")
 
     data = {
         "grant_type": "refresh_token",
         "refresh_token": refresh_token,
         "client_id": client_id,
         "client_secret": client_secret,
-        "redirect_uri": REDIRECT_URI,
     }
-    resp = requests.post(TOKEN_URL, data=data)
-    resp.raise_for_status()
+    resp = requests.post(REFRESH_URL, data=data)
+    if not resp.ok:
+        raise RuntimeError(
+            f"Adobe Sign refresh token is invalid or expired ({resp.status_code}: {resp.text}). "
+            "Run `python3 src/adobe_auth.py` to re-authenticate."
+        )
     new_token = resp.json()["access_token"]
-
-    abs_env = os.path.abspath(ENV_FILE)
-    set_key(abs_env, "ADOBE_ACCESS_TOKEN", new_token)
+    set_key(os.path.abspath(ENV_FILE), "ADOBE_ACCESS_TOKEN", new_token)
     os.environ["ADOBE_ACCESS_TOKEN"] = new_token
     return new_token