mozilla-services · jrconlin · May 9, 2024 · Apr 25, 2024 · Apr 25, 2024 · Apr 26, 2024
diff --git a/syncserver/src/tokenserver/extractors.rs b/syncserver/src/tokenserver/extractors.rs
@@ -113,6 +113,7 @@ impl TokenserverRequest {
             .contains(&self.auth_data.client_state)
         {
             let error_message = "Unacceptable client-state value stale value".to_owned();
+            warn!("Client attempted stale value"; "uid"=> self.user.uid, "client_state"=> self.user.client_state.clone());
             return Err(TokenserverError::invalid_client_state(error_message));
         }
 

diff --git a/tokenserver-common/src/error.rs b/tokenserver-common/src/error.rs
@@ -271,6 +271,14 @@ impl ReportableError for TokenserverError {
                 TokenType::BrowserId => Some("request.error.browser_id".to_owned()),
                 TokenType::Oauth => Some("request.error.oauth".to_owned()),
             }
+        } else if matches!(
+            self,
+            TokenserverError {
+                status: "invalid-client-state",
+                ..
+            }
+        ) {
+            Some("request.error.invalid_client_state".to_owned())
         } else {
             None
         }

diff --git a/tokenserver-db/src/lib.rs b/tokenserver-db/src/lib.rs
@@ -1,6 +1,8 @@
 extern crate diesel;
 #[macro_use]
 extern crate diesel_migrations;
+#[macro_use]
+extern crate slog_scope;
 
 mod error;
 pub mod mock;

diff --git a/tokenserver-db/src/models.rs b/tokenserver-db/src/models.rs
@@ -389,14 +389,22 @@ impl TokenserverDb {
             let raw_user = raw_users[0].clone();
 
             // Collect any old client states that differ from the current client state
-            let old_client_states = {
+            let old_client_states: Vec<String> = {
                 raw_users[1..]
                     .iter()
                     .map(|user| user.client_state.clone())
                     .filter(|client_state| client_state != &raw_user.client_state)
                     .collect()
             };
 
+            if !old_client_states.is_empty() {
+                info!(
+                    "Tokenserver user has old client states";
+                    "uid" => raw_user.uid,
+                    "count" => old_client_states.len()
+                )
+            }
+
-            if !old_client_states.is_empty() {
-                info!(
-                    "Tokenserver user has old client states";
-                    "uid" => raw_user.uid,
-                    "count" => old_client_states.len()
-                )
-            }
-            if !old_client_states.is_empty() {
-                info!(
-                    "Tokenserver user has old client states";
-                    "uid" => raw_user.uid,
-                    "count" => old_client_states.len()
-                )
-            }
             // Make sure every old row is marked as replaced. They might not be, due to races in row
             // creation.
             for old_user in &raw_users[1..] {
@@ -463,7 +471,11 @@ impl TokenserverDb {
                 // The most up-to-date user doesn't have a node and is retired. This is an internal
                 // service error for compatibility reasons (the legacy Tokenserver returned an
                 // internal service error in this situation).
-                (_, None) => Err(DbError::internal("Tokenserver user retired".to_owned())),
+                (_, None) => {
+                    let uid = raw_user.uid;
+                    warn!("Tokenserver user retired"; "uid" => &uid);
+                    Err(DbError::internal("Tokenserver user retired".to_owned()))
+                }
             }
         }
     }