From aca18487e8384df9b4be56dc62396fe78f4fe59d Mon Sep 17 00:00:00 2001
From: Jared Snider <jsnider@bitwarden.com>
Date: Thu, 29 May 2025 14:33:16 -0400
Subject: [PATCH] PM-20532 - More service layer refactors and wiring up error
 handling.

---
 .../auth/send-access/models/send-access-token.ts | 16 +++++++++++-----
 .../services/send-token-api.service.ts           | 13 +++++++++----
 .../send-access/services/send-token.service.ts   |  8 +++++---
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/libs/common/src/auth/send-access/models/send-access-token.ts b/libs/common/src/auth/send-access/models/send-access-token.ts
index 5a6447148a4..14c38544864 100644
--- a/libs/common/src/auth/send-access/models/send-access-token.ts
+++ b/libs/common/src/auth/send-access/models/send-access-token.ts
@@ -1,5 +1,12 @@
 import { Jsonify } from "type-fest";
 
+export interface SendAccessTokenJson {
+  access_token: string;
+  expires_in: number; // in seconds
+  scope: string;
+  token_type: string;
+}
+
 export class SendAccessToken {
   constructor(
     /**
@@ -14,12 +21,11 @@ export class SendAccessToken {
 
   /**
    * Builds an instance from our Identity token response data
-   * @param accessToken The `access_token` string
-   * @param expiresInSeconds The `expires_in` value (in seconds)
+   * @param sendAccessTokenJson The JSON data from the Identity token response
    */
-  static fromResponseData(accessToken: string, expiresInSeconds: number): SendAccessToken {
-    const expiresAtTimeStamp = Date.now() + expiresInSeconds * 1000;
-    return new SendAccessToken(accessToken, expiresAtTimeStamp);
+  static fromResponseData(sendAccessTokenJson: SendAccessTokenJson): SendAccessToken {
+    const expiresAtTimeStamp = Date.now() + sendAccessTokenJson.expires_in * 1000;
+    return new SendAccessToken(sendAccessTokenJson.access_token, expiresAtTimeStamp);
   }
 
   /** Returns whether the send access token is expired or not */
diff --git a/libs/common/src/auth/send-access/services/send-token-api.service.ts b/libs/common/src/auth/send-access/services/send-token-api.service.ts
index e1ab19cd659..81707035269 100644
--- a/libs/common/src/auth/send-access/services/send-token-api.service.ts
+++ b/libs/common/src/auth/send-access/services/send-token-api.service.ts
@@ -8,7 +8,7 @@ import { SendAccessToken } from "../models/send-access-token";
 
 export type SendTokenApiRetrievalError =
   | "password-required"
-  | "otp-required"
+  | "email-and-otp-required"
   | "invalid-password"
   | "invalid-otp"
   | "unknown-error";
@@ -45,11 +45,16 @@ export class SendTokenApiService implements SendTokenApiServiceAbstraction {
     const responseJson = await response.json();
 
     if (response.status === 200) {
-      const sendAccessToken = SendAccessToken.fromJson(responseJson);
+      const sendAccessToken = SendAccessToken.fromResponseData(responseJson);
       return sendAccessToken;
     } else if (response.status === 400) {
-      // TODO: add correct error handling for 400
-      return "password-required";
+      if (responseJson?.error === "invalid_request") {
+        if (responseJson?.error_description === "Password is required.") {
+          return "password-required";
+        } else if (responseJson?.error_description === "Email and OTP are required.") {
+          return "email-and-otp-required";
+        }
+      }
     }
 
     return "unknown-error";
diff --git a/libs/common/src/auth/send-access/services/send-token.service.ts b/libs/common/src/auth/send-access/services/send-token.service.ts
index c1a5dc963ef..5d1195625ac 100644
--- a/libs/common/src/auth/send-access/services/send-token.service.ts
+++ b/libs/common/src/auth/send-access/services/send-token.service.ts
@@ -35,13 +35,15 @@ export const SEND_ACCESS_TOKEN_DICT = KeyDefinition.record<SendAccessToken, stri
 
 type CredentialsRequiredApiError = Extract<
   SendTokenApiRetrievalError,
-  "password-required" | "otp-required" | "unknown-error"
+  "password-required" | "email-and-otp-required" | "unknown-error"
 >;
 
 function isCredentialsRequiredApiError(
   error: SendTokenApiRetrievalError,
 ): error is CredentialsRequiredApiError {
-  return error === "password-required" || error === "otp-required" || error === "unknown-error";
+  return (
+    error === "password-required" || error === "email-and-otp-required" || error === "unknown-error"
+  );
 }
 
 export type TryGetSendAccessTokenError = "expired" | CredentialsRequiredApiError;
@@ -104,7 +106,7 @@ export class SendTokenService implements SendTokenServiceAbstraction {
 
     if (isCredentialsRequiredApiError(result)) {
       // If we get an expected API error, we return it.
-      // Typically, this will be a "password-required" or "otp-required" error to communicate that the send requires credentials to access.
+      // Typically, this will be a "password-required" or "email-and-otp-required" error to communicate that the send requires credentials to access.
       return result;
     }