Fixes ACCOUNTS-2. Catch decryption exception for OAuth2 flow

api/components/OAuth2/CryptTrait.php

@@ -3,6 +3,9 @@ declare(strict_types=1);
 
 namespace api\components\OAuth2;
 
+use LogicException;
+use RangeException;
+use SodiumException;
 use Yii;
 
 /**
@@ -20,7 +23,11 @@ trait CryptTrait {
     }
 
     protected function decrypt($encryptedData): string {
-        return Yii::$app->tokens->decryptValue($encryptedData);
+        try {
+            return Yii::$app->tokens->decryptValue($encryptedData);
+        } catch (SodiumException | RangeException $e) {
+            throw new LogicException($e->getMessage(), 0, $e);
+        }
     }
 
 }

api/components/Tokens/Component.php

@@ -107,6 +107,13 @@ class Component extends BaseComponent {
         return $cipher;
     }
 
+    /**
+     * @param string $encryptedValue
+     *
+     * @return string
+     * @throws \SodiumException
+     * @throws \RangeException
+     */
     public function decryptValue(string $encryptedValue): string {
         $decoded = Base64UrlSafe::decode($encryptedValue);
         Assert::true(mb_strlen($decoded, '8bit') >= (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES));

api/components/Tokens/TokenReader.php

@@ -6,12 +6,9 @@ namespace api\components\Tokens;
 use Lcobucci\JWT\Token;
 use Yii;
 
-class TokenReader {
+final class TokenReader {
 
-    /**
-     * @var Token
-     */
-    private $token;
+    private Token $token;
 
     public function __construct(Token $token) {
         $this->token = $token;
@@ -55,6 +52,10 @@ class TokenReader {
             return null;
         }
 
+        /**
+         * It really might throw an exception but we have not seen any case of such exception yet
+         * @noinspection PhpUnhandledExceptionInspection
+         */
         return Yii::$app->tokens->decryptValue($encodedClientToken);
     }