cozy-harvest-lib 9.22.3 → 9.23.2

package/CHANGELOG.md

@@ -3,6 +3,40 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [9.23.2](https://github.com/cozy/cozy-libs/compare/cozy-harvest-lib@9.23.1...cozy-harvest-lib@9.23.2) (2022-07-26)
+
+
+### Bug Fixes
+
+* Invalidate temporary token cache when there is a change of BI user ([0fa3893](https://github.com/cozy/cozy-libs/commit/0fa3893bb6ac3c02bc88d15dae79e3772a6aef97))
+
+
+
+
+
+## [9.23.1](https://github.com/cozy/cozy-libs/compare/cozy-harvest-lib@9.23.0...cozy-harvest-lib@9.23.1) (2022-07-26)
+
+
+### Bug Fixes
+
+* Google connector in web mode ([1777fcc](https://github.com/cozy/cozy-libs/commit/1777fccc6b9e1e581189ca4563f851b341a60644))
+* OauthWindowInAppBrowser re-render ([334e7d8](https://github.com/cozy/cozy-libs/commit/334e7d8b7d777bf265803f81583a65f39fb0cabb))
+
+
+
+
+
+# [9.23.0](https://github.com/cozy/cozy-libs/compare/cozy-harvest-lib@9.22.3...cozy-harvest-lib@9.23.0) (2022-07-26)
+
+
+### Features
+
+* Add BI aggregator releationship to BI accounts ([cb7a79c](https://github.com/cozy/cozy-libs/commit/cb7a79c6cd72a9f8e95ae71307f27f04b68f0e94))
+
+
+
+
+
 ## [9.22.3](https://github.com/cozy/cozy-libs/compare/cozy-harvest-lib@9.22.2...cozy-harvest-lib@9.22.3) (2022-07-26)
 
 **Note:** Version bump only for package cozy-harvest-lib

package/dist/components/InAppBrowser.js

@@ -1,6 +1,6 @@
 import _asyncToGenerator from "@babel/runtime/helpers/asyncToGenerator";
 import _regeneratorRuntime from "@babel/runtime/regenerator";
-import { useEffect } from 'react';
+import React, { useEffect } from 'react';
 import PropTypes from 'prop-types';
 import { useWebviewIntent } from 'cozy-intent';
 import logger from '../logger';
@@ -9,22 +9,27 @@ import { intentsApiProptype } from '../helpers/proptypes';
 var InAppBrowser = function InAppBrowser(_ref) {
   var url = _ref.url,
       onClose = _ref.onClose,
-      _ref$intentsApi = _ref.intentsApi,
-      intentsApi = _ref$intentsApi === void 0 ? {} : _ref$intentsApi;
-  var webviewIntent = useWebviewIntent();
-  var fetchSessionCode = intentsApi !== null && intentsApi !== void 0 && intentsApi.fetchSessionCode ? intentsApi === null || intentsApi === void 0 ? void 0 : intentsApi.fetchSessionCode : function () {
-    return webviewIntent.call('fetchSessionCode');
-  };
-  var showInAppBrowser = intentsApi !== null && intentsApi !== void 0 && intentsApi.showInAppBrowser ? intentsApi === null || intentsApi === void 0 ? void 0 : intentsApi.showInAppBrowser : function (url) {
-    return webviewIntent.call('showInAppBrowser', {
-      url: url
+      intentsApi = _ref.intentsApi;
+
+  if (intentsApi) {
+    return /*#__PURE__*/React.createElement(InAppBrowserWithIntentsApi, {
+      url: url,
+      onClose: onClose,
+      intentsApi: intentsApi
     });
-  };
-  var closeInAppBrowser = intentsApi !== null && intentsApi !== void 0 && intentsApi.closeInAppBrowser ? intentsApi === null || intentsApi === void 0 ? void 0 : intentsApi.closeInAppBrowser : function () {
-    return webviewIntent.call('closeInAppBrowser');
-  };
-  var tokenParamName = intentsApi !== null && intentsApi !== void 0 && intentsApi.tokenParamName ? intentsApi === null || intentsApi === void 0 ? void 0 : intentsApi.tokenParamName : 'session_code';
-  var isReady = Boolean(webviewIntent || (intentsApi === null || intentsApi === void 0 ? void 0 : intentsApi.fetchSessionCode) && (intentsApi === null || intentsApi === void 0 ? void 0 : intentsApi.showInAppBrowser) && (intentsApi === null || intentsApi === void 0 ? void 0 : intentsApi.closeInAppBrowser));
+  } else {
+    return /*#__PURE__*/React.createElement(InAppBrowserWithWebviewIntent, {
+      url: url,
+      onClose: onClose
+    });
+  }
+};
+
+var InAppBrowserWithWebviewIntent = function InAppBrowserWithWebviewIntent(_ref2) {
+  var url = _ref2.url,
+      onClose = _ref2.onClose;
+  var webviewIntent = useWebviewIntent();
+  var isReady = Boolean(webviewIntent);
   useEffect(function () {
     function insideEffect() {
       return _insideEffect.apply(this, arguments);
@@ -45,19 +50,21 @@ var InAppBrowser = function InAppBrowser(_ref) {
                 _context.prev = 1;
                 logger.debug('url at the beginning: ', url);
                 _context.next = 5;
-                return fetchSessionCode();
+                return webviewIntent.call('fetchSessionCode');
 
               case 5:
                 sessionCode = _context.sent;
                 logger.debug('got session code', sessionCode);
                 iabUrl = new URL(url);
-                iabUrl.searchParams.append(tokenParamName, sessionCode); // we need to decodeURIComponent since toString() encodes URL
+                iabUrl.searchParams.append('session_code', sessionCode); // we need to decodeURIComponent since toString() encodes URL
                 // but native browser will also encode them.
 
                 urlToOpen = decodeURIComponent(iabUrl.toString());
                 logger.debug('url to open: ', urlToOpen);
                 _context.next = 13;
-                return showInAppBrowser(urlToOpen);
+                return webviewIntent.call('showInAppBrowser', {
+                  url: urlToOpen
+                });
 
               case 13:
                 result = _context.sent;
@@ -89,6 +96,89 @@ var InAppBrowser = function InAppBrowser(_ref) {
       return _insideEffect.apply(this, arguments);
     }
 
+    insideEffect();
+    return function cleanup() {
+      webviewIntent.call('closeInAppBrowser');
+    };
+  }, [isReady, url, onClose, webviewIntent]);
+  return null;
+};
+
+var InAppBrowserWithIntentsApi = function InAppBrowserWithIntentsApi(_ref3) {
+  var url = _ref3.url,
+      onClose = _ref3.onClose,
+      _ref3$intentsApi = _ref3.intentsApi,
+      intentsApi = _ref3$intentsApi === void 0 ? {} : _ref3$intentsApi;
+  var fetchSessionCode = intentsApi.fetchSessionCode,
+      showInAppBrowser = intentsApi.showInAppBrowser,
+      closeInAppBrowser = intentsApi.closeInAppBrowser,
+      _intentsApi$tokenPara = intentsApi.tokenParamName,
+      tokenParamName = _intentsApi$tokenPara === void 0 ? 'session_code' : _intentsApi$tokenPara;
+  var isReady = Boolean((intentsApi === null || intentsApi === void 0 ? void 0 : intentsApi.fetchSessionCode) && (intentsApi === null || intentsApi === void 0 ? void 0 : intentsApi.showInAppBrowser) && (intentsApi === null || intentsApi === void 0 ? void 0 : intentsApi.closeInAppBrowser));
+  useEffect(function () {
+    function insideEffect() {
+      return _insideEffect2.apply(this, arguments);
+    }
+
+    function _insideEffect2() {
+      _insideEffect2 = _asyncToGenerator( /*#__PURE__*/_regeneratorRuntime.mark(function _callee2() {
+        var sessionCode, iabUrl, urlToOpen, result;
+        return _regeneratorRuntime.wrap(function _callee2$(_context2) {
+          while (1) {
+            switch (_context2.prev = _context2.next) {
+              case 0:
+                if (!isReady) {
+                  _context2.next = 21;
+                  break;
+                }
+
+                _context2.prev = 1;
+                logger.debug('url at the beginning: ', url);
+                _context2.next = 5;
+                return fetchSessionCode();
+
+              case 5:
+                sessionCode = _context2.sent;
+                logger.debug('got session code', sessionCode);
+                iabUrl = new URL(url);
+                iabUrl.searchParams.append(tokenParamName, sessionCode); // we need to decodeURIComponent since toString() encodes URL
+                // but native browser will also encode them.
+
+                urlToOpen = decodeURIComponent(iabUrl.toString());
+                logger.debug('url to open: ', urlToOpen);
+                _context2.next = 13;
+                return showInAppBrowser(urlToOpen);
+
+              case 13:
+                result = _context2.sent;
+
+                if ((result === null || result === void 0 ? void 0 : result.type) !== 'dismiss' && (result === null || result === void 0 ? void 0 : result.type) !== 'cancel') {
+                  logger.error('Unexpected InAppBrowser result', result);
+                }
+
+                _context2.next = 20;
+                break;
+
+              case 17:
+                _context2.prev = 17;
+                _context2.t0 = _context2["catch"](1);
+                logger.error('unexpected fetchSessionCode result', _context2.t0);
+
+              case 20:
+                if (onClose) {
+                  onClose();
+                }
+
+              case 21:
+              case "end":
+                return _context2.stop();
+            }
+          }
+        }, _callee2, null, [[1, 17]]);
+      }));
+      return _insideEffect2.apply(this, arguments);
+    }
+
     insideEffect();
     return function cleanup() {
       closeInAppBrowser();

package/dist/helpers/oauth.js

@@ -118,7 +118,7 @@ export var getOAuthUrl = function getOAuthUrl(_ref) {
   oAuthUrl.searchParams.set('nonce', nonce);
 
   if (oAuthConf.scope !== undefined && oAuthConf.scope !== null && oAuthConf.scope !== false) {
-    var urlScope = Array.isArray(oAuthConf.scope) ? oAuthConf.scope.join('+') : oAuthConf.scope;
+    var urlScope = Array.isArray(oAuthConf.scope) ? oAuthConf.scope.join('%2B') : oAuthConf.scope;
     oAuthUrl.searchParams.set('scope', urlScope);
   }
 

package/dist/helpers/oauth.spec.js

@@ -53,7 +53,7 @@ describe('Oauth helper', function () {
           scope: ['thescope', 'thescope2']
         }
       }));
-      expect(url).toEqual('https://cozyurl/accounts/testslug/start?state=statekey&nonce=1234&scope=thescope+thescope2');
+      expect(url).toEqual('https://cozyurl/accounts/testslug/start?state=statekey&nonce=1234&scope=thescope%2Bthescope2');
     });
     it('should use redirectSlug if present', function () {
       var url = getOAuthUrl(_objectSpread(_objectSpread({}, defaultConf), {}, {

package/dist/services/biWebView.js

@@ -33,6 +33,7 @@ import { waitForRealtimeEvent } from './jobUtils';
 import '../types';
 import { LOGIN_SUCCESS_EVENT } from '../models/flowEvents';
 var TEMP_TOKEN_TIMOUT_S = 60;
+export var ACCOUNTS_DOCTYPE = 'io.cozy.accounts';
 export var isBiWebViewConnector = function isBiWebViewConnector(konnector) {
   return flag('harvest.bi.webview') && isBudgetInsightConnector(konnector);
 };
@@ -201,7 +202,7 @@ export var handleOAuthAccount = /*#__PURE__*/function () {
             logger.info("Found a BI webview connection id: ".concat(connectionId));
             flow.konnector = konnector;
             _context3.next = 12;
-            return flow.saveAccount(setBIConnectionId(biWebviewAccount, connectionId));
+            return flow.saveAccount(_objectSpread(_objectSpread({}, setBIConnectionId(biWebviewAccount, connectionId)), getBiAggregatorParentRelationship(konnector)));
 
           case 12:
             biWebviewAccount = _context3.sent;
@@ -228,6 +229,34 @@ export var handleOAuthAccount = /*#__PURE__*/function () {
     return _ref6.apply(this, arguments);
   };
 }();
+/**
+ * Return the bi aggregator parent relationship configuration for a given konnector
+ *
+ * @param {io.cozy.konnectors} konnector connector manifest content
+ *
+ * @return {Object}
+ */
+
+var getBiAggregatorParentRelationship = function getBiAggregatorParentRelationship(konnector) {
+  var _konnector$aggregator;
+
+  var biAggregatorId = konnector === null || konnector === void 0 ? void 0 : (_konnector$aggregator = konnector.aggregator) === null || _konnector$aggregator === void 0 ? void 0 : _konnector$aggregator.accountId;
+
+  if (!biAggregatorId) {
+    return {};
+  }
+
+  return {
+    relationships: {
+      parent: {
+        data: {
+          _id: biAggregatorId,
+          _type: ACCOUNTS_DOCTYPE
+        }
+      }
+    }
+  };
+};
 /**
  * Gets BI webview connection id which is returned in the account by the stack
  * via oauth callback url
@@ -237,6 +266,7 @@ export var handleOAuthAccount = /*#__PURE__*/function () {
  * @return {Integer} Connection Id
  */
 
+
 var getWebviewBIConnectionId = function getWebviewBIConnectionId(account) {
   var _account$oauth, _account$oauth$query, _account$oauth$query$;
 
@@ -546,16 +576,22 @@ function _getBiTemporaryTokenFromCache() {
   return _getBiTemporaryTokenFromCache.apply(this, arguments);
 }
 
-function isCacheExpired(_ref17) {
-  var tokenCache = _ref17.tokenCache;
+export function isCacheExpired(_ref17) {
+  var tokenCache = _ref17.tokenCache,
+      biUser = _ref17.biUser;
   var cacheAge = Date.now() - Number(tokenCache === null || tokenCache === void 0 ? void 0 : tokenCache.timestamp);
   logger.debug('tokenCache age', cacheAge / 1000 / 60, 'minutes');
   var MAX_TOKEN_CACHE_AGE = 29 * 60 * 1000;
+  var isSameUserId = tokenCache.userId === (biUser === null || biUser === void 0 ? void 0 : biUser.userId);
 
-  if (tokenCache && cacheAge < MAX_TOKEN_CACHE_AGE) {
+  if (tokenCache && cacheAge < MAX_TOKEN_CACHE_AGE && isSameUserId) {
     return false;
   }
 
+  if (!isSameUserId) {
+    logger.warn("BI user id in cache ".concat(tokenCache.userId, " is different than current user id ").concat(biUser === null || biUser === void 0 ? void 0 : biUser.userId));
+  }
+
   return true;
 }
 /**
@@ -568,7 +604,6 @@ function isCacheExpired(_ref17) {
  * @return {createTemporaryTokenResponse}
  */
 
-
 function updateCache(_x9) {
   return _updateCache.apply(this, arguments);
 }
@@ -633,7 +668,7 @@ export var createTemporaryToken = /*#__PURE__*/function () {
   var _ref20 = _asyncToGenerator( /*#__PURE__*/_regeneratorRuntime.mark(function _callee8(_ref19) {
     var _tokenCache;
 
-    var client, konnector, account, tokenCache, cozyBankIds, _tokenCache2, biMapping;
+    var client, konnector, account, tokenCache, cozyBankIds, _yield$client$query, biUser, _tokenCache2, biMapping;
 
     return _regeneratorRuntime.wrap(function _callee8$(_context8) {
       while (1) {
@@ -652,16 +687,23 @@ export var createTemporaryToken = /*#__PURE__*/function () {
               konnector: konnector,
               account: account
             });
+            _context8.next = 8;
+            return client.query(Q('io.cozy.accounts').getById('bi-aggregator-user'));
+
+          case 8:
+            _yield$client$query = _context8.sent;
+            biUser = _yield$client$query.data;
 
             if (!isCacheExpired({
-              tokenCache: tokenCache
+              tokenCache: tokenCache,
+              biUser: biUser
             })) {
-              _context8.next = 11;
+              _context8.next = 15;
               break;
             }
 
             logger.debug('temporaryToken cache is expired. Updating');
-            _context8.next = 10;
+            _context8.next = 14;
             return updateCache({
               client: client,
               konnector: konnector,
@@ -669,10 +711,10 @@ export var createTemporaryToken = /*#__PURE__*/function () {
               cozyBankIds: cozyBankIds
             });
 
-          case 10:
+          case 14:
             tokenCache = _context8.sent;
 
-          case 11:
+          case 15:
             assert(cozyBankIds.length, 'createTemporaryToken: Could not determine cozyBankIds from account or konnector');
             assert((_tokenCache = tokenCache) === null || _tokenCache === void 0 ? void 0 : _tokenCache.biMapping, 'createTemporaryToken: could not find a BI mapping in createTemporaryToken response, you should update your konnector to the last version');
             _tokenCache2 = tokenCache, biMapping = _tokenCache2.biMapping;
@@ -681,7 +723,7 @@ export var createTemporaryToken = /*#__PURE__*/function () {
             })));
             return _context8.abrupt("return", tokenCache);
 
-          case 16:
+          case 20:
           case "end":
             return _context8.stop();
         }

package/dist/services/biWebView.spec.js

@@ -7,7 +7,7 @@ function _objectSpread(target) { for (var i = 1; i < arguments.length; i++) { va
 
 import _regeneratorRuntime from "@babel/runtime/regenerator";
 import CozyClient from 'cozy-client';
-import { handleOAuthAccount, checkBIConnection, isBiWebViewConnector, fetchContractSynchronizationUrl, refreshContracts, fetchExtraOAuthUrlParams } from './biWebView';
+import { handleOAuthAccount, checkBIConnection, isBiWebViewConnector, fetchContractSynchronizationUrl, refreshContracts, fetchExtraOAuthUrlParams, isCacheExpired } from './biWebView';
 import ConnectionFlow from '../models/ConnectionFlow';
 import { waitForRealtimeEvent } from './jobUtils';
 import biPublicKeyProd from './bi-public-key-prod.json';
@@ -539,6 +539,72 @@ describe('refreshContracts', function () {
     }, _callee9);
   })));
 });
+describe('isCacheExpired', function () {
+  it('should not be marked as expired when userId did not change and cache is not old', function () {
+    var tokenCache = {
+      timestamp: Date.now(),
+      userId: 666
+    };
+    var biUser = {
+      userId: 666
+    };
+    expect(isCacheExpired({
+      tokenCache: tokenCache,
+      biUser: biUser
+    })).toBe(false);
+  });
+  it('should be marked as expired when userId did not change and cache is old', function () {
+    var tokenCache = {
+      timestamp: 0,
+      userId: 666
+    };
+    var biUser = {
+      userId: 666
+    };
+    expect(isCacheExpired({
+      tokenCache: tokenCache,
+      biUser: biUser
+    })).toBe(true);
+  });
+  it('should be marked as expired when userId did change and cache is old', function () {
+    var tokenCache = {
+      timestamp: 0,
+      userId: 666
+    };
+    var biUser = {
+      userId: 667
+    };
+    expect(isCacheExpired({
+      tokenCache: tokenCache,
+      biUser: biUser
+    })).toBe(true);
+  });
+  it('should be marked as expired when userId did change and cache is not old', function () {
+    var tokenCache = {
+      timestamp: Date.now(),
+      userId: 666
+    };
+    var biUser = {
+      userId: 667
+    };
+    expect(isCacheExpired({
+      tokenCache: tokenCache,
+      biUser: biUser
+    })).toBe(true);
+  });
+  it('should be marked as expired when cache has no user id', function () {
+    var tokenCache = {
+      timestamp: Date.now()
+    };
+    var biUser = {
+      userId: 666
+    };
+    expect(isCacheExpired({
+      tokenCache: tokenCache,
+      biUser: biUser
+    })).toBe(true);
+  });
+});
 describe('fetchExtraOAuthUrlParams', function () {
   it('should asynchronously fetch BI token', /*#__PURE__*/_asyncToGenerator( /*#__PURE__*/_regeneratorRuntime.mark(function _callee10() {
     var client, result;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cozy-harvest-lib",
-  "version": "9.22.3",
+  "version": "9.23.2",
   "description": "Provides logic, modules and components for Cozy's harvest applications.",
   "main": "dist/index.js",
   "author": "Cozy",
@@ -29,7 +29,7 @@
     "@cozy/minilog": "^1.0.0",
     "@sentry/browser": "^6.0.1",
     "cozy-bi-auth": "0.0.25",
-    "cozy-doctypes": "^1.84.0",
+    "cozy-doctypes": "^1.85.0",
     "cozy-logger": "^1.9.0",
     "date-fns": "^1.30.1",
     "final-form": "^4.18.5",
@@ -90,5 +90,5 @@
     "react-router-dom": "^5.0.1"
   },
   "sideEffects": false,
-  "gitHead": "6bfb68f221c204c40e54baab55cc25655e71a548"
+  "gitHead": "c5c6e0d609fafbc41a4b8cbfa8e1d4582544bbdd"
 }

package/src/components/InAppBrowser.jsx

@@ -1,30 +1,73 @@
-import { useEffect } from 'react'
+import React, { useEffect } from 'react'
 import PropTypes from 'prop-types'
 import { useWebviewIntent } from 'cozy-intent'
 import logger from '../logger'
 import { intentsApiProptype } from '../helpers/proptypes'
 
-const InAppBrowser = ({ url, onClose, intentsApi = {} }) => {
+const InAppBrowser = ({ url, onClose, intentsApi }) => {
+  if (intentsApi) {
+    return (
+      <InAppBrowserWithIntentsApi
+        url={url}
+        onClose={onClose}
+        intentsApi={intentsApi}
+      />
+    )
+  } else {
+    return <InAppBrowserWithWebviewIntent url={url} onClose={onClose} />
+  }
+}
+
+const InAppBrowserWithWebviewIntent = ({ url, onClose }) => {
   const webviewIntent = useWebviewIntent()
-  const fetchSessionCode = intentsApi?.fetchSessionCode
-    ? intentsApi?.fetchSessionCode
-    : () => webviewIntent.call('fetchSessionCode')
-  const showInAppBrowser = intentsApi?.showInAppBrowser
-    ? intentsApi?.showInAppBrowser
-    : url => webviewIntent.call('showInAppBrowser', { url })
-  const closeInAppBrowser = intentsApi?.closeInAppBrowser
-    ? intentsApi?.closeInAppBrowser
-    : () => webviewIntent.call('closeInAppBrowser')
+  const isReady = Boolean(webviewIntent)
+  useEffect(() => {
+    async function insideEffect() {
+      if (isReady) {
+        try {
+          logger.debug('url at the beginning: ', url)
+          const sessionCode = await webviewIntent.call('fetchSessionCode')
+          logger.debug('got session code', sessionCode)
+          const iabUrl = new URL(url)
+          iabUrl.searchParams.append('session_code', sessionCode)
+          // we need to decodeURIComponent since toString() encodes URL
+          // but native browser will also encode them.
+          const urlToOpen = decodeURIComponent(iabUrl.toString())
+          logger.debug('url to open: ', urlToOpen)
+          const result = await webviewIntent.call('showInAppBrowser', {
+            url: urlToOpen
+          })
+          if (result?.type !== 'dismiss' && result?.type !== 'cancel') {
+            logger.error('Unexpected InAppBrowser result', result)
+          }
+        } catch (err) {
+          logger.error('unexpected fetchSessionCode result', err)
+        }
+        if (onClose) {
+          onClose()
+        }
+      }
+    }
+    insideEffect()
+    return function cleanup() {
+      webviewIntent.call('closeInAppBrowser')
+    }
+  }, [isReady, url, onClose, webviewIntent])
+  return null
+}
 
-  const tokenParamName = intentsApi?.tokenParamName
-    ? intentsApi?.tokenParamName
-    : 'session_code'
+const InAppBrowserWithIntentsApi = ({ url, onClose, intentsApi = {} }) => {
+  const {
+    fetchSessionCode,
+    showInAppBrowser,
+    closeInAppBrowser,
+    tokenParamName = 'session_code'
+  } = intentsApi
 
   const isReady = Boolean(
-    webviewIntent ||
-      (intentsApi?.fetchSessionCode &&
-        intentsApi?.showInAppBrowser &&
-        intentsApi?.closeInAppBrowser)
+    intentsApi?.fetchSessionCode &&
+      intentsApi?.showInAppBrowser &&
+      intentsApi?.closeInAppBrowser
   )
 
   useEffect(() => {
@@ -52,6 +95,7 @@ const InAppBrowser = ({ url, onClose, intentsApi = {} }) => {
         }
       }
     }
+
     insideEffect()
     return function cleanup() {
       closeInAppBrowser()

package/src/helpers/oauth.js

@@ -130,7 +130,7 @@ export const getOAuthUrl = ({
     oAuthConf.scope !== false
   ) {
     const urlScope = Array.isArray(oAuthConf.scope)
-      ? oAuthConf.scope.join('+')
+      ? oAuthConf.scope.join('%2B')
       : oAuthConf.scope
     oAuthUrl.searchParams.set('scope', urlScope)
   }

package/src/helpers/oauth.spec.js

@@ -50,7 +50,7 @@ describe('Oauth helper', () => {
         oAuthConf: { scope: ['thescope', 'thescope2'] }
       })
       expect(url).toEqual(
-        'https://cozyurl/accounts/testslug/start?state=statekey&nonce=1234&scope=thescope+thescope2'
+        'https://cozyurl/accounts/testslug/start?state=statekey&nonce=1234&scope=thescope%2Bthescope2'
       )
     })
     it('should use redirectSlug if present', () => {

package/src/services/biWebView.js

@@ -23,6 +23,7 @@ import '../types'
 import { LOGIN_SUCCESS_EVENT } from '../models/flowEvents'
 
 const TEMP_TOKEN_TIMOUT_S = 60
+export const ACCOUNTS_DOCTYPE = 'io.cozy.accounts'
 
 export const isBiWebViewConnector = konnector =>
   flag('harvest.bi.webview') && isBudgetInsightConnector(konnector)
@@ -130,9 +131,11 @@ export const handleOAuthAccount = async ({
   if (connectionId) {
     logger.info(`Found a BI webview connection id: ${connectionId}`)
     flow.konnector = konnector
-    biWebviewAccount = await flow.saveAccount(
-      setBIConnectionId(biWebviewAccount, connectionId)
-    )
+
+    biWebviewAccount = await flow.saveAccount({
+      ...setBIConnectionId(biWebviewAccount, connectionId),
+      ...getBiAggregatorParentRelationship(konnector)
+    })
 
     await flow.handleFormSubmit({
       client,
@@ -145,6 +148,30 @@ export const handleOAuthAccount = async ({
   return connectionId
 }
 
+/**
+ * Return the bi aggregator parent relationship configuration for a given konnector
+ *
+ * @param {io.cozy.konnectors} konnector connector manifest content
+ *
+ * @return {Object}
+ */
+const getBiAggregatorParentRelationship = konnector => {
+  const biAggregatorId = konnector?.aggregator?.accountId
+  if (!biAggregatorId) {
+    return {}
+  }
+  return {
+    relationships: {
+      parent: {
+        data: {
+          _id: biAggregatorId,
+          _type: ACCOUNTS_DOCTYPE
+        }
+      }
+    }
+  }
+}
+
 /**
  * Gets BI webview connection id which is returned in the account by the stack
  * via oauth callback url
@@ -335,13 +362,20 @@ async function getBiTemporaryTokenFromCache({ client }) {
  * @param {createTemporaryTokenResponse} options.tokenCache
  * @return {Boolean}
  */
-function isCacheExpired({ tokenCache }) {
+export function isCacheExpired({ tokenCache, biUser }) {
   const cacheAge = Date.now() - Number(tokenCache?.timestamp)
   logger.debug('tokenCache age', cacheAge / 1000 / 60, 'minutes')
   const MAX_TOKEN_CACHE_AGE = 29 * 60 * 1000
-  if (tokenCache && cacheAge < MAX_TOKEN_CACHE_AGE) {
+  const isSameUserId = tokenCache.userId === biUser?.userId
+  if (tokenCache && cacheAge < MAX_TOKEN_CACHE_AGE && isSameUserId) {
     return false
   }
+
+  if (!isSameUserId) {
+    logger.warn(
+      `BI user id in cache ${tokenCache.userId} is different than current user id ${biUser?.userId}`
+    )
+  }
   return true
 }
 
@@ -398,7 +432,12 @@ export const createTemporaryToken = async ({ client, konnector, account }) => {
 
   let tokenCache = await getBiTemporaryTokenFromCache({ client })
   const cozyBankIds = getCozyBankIds({ konnector, account })
-  if (isCacheExpired({ tokenCache })) {
+
+  const { data: biUser } = await client.query(
+    Q('io.cozy.accounts').getById('bi-aggregator-user')
+  )
+
+  if (isCacheExpired({ tokenCache, biUser })) {
     logger.debug('temporaryToken cache is expired. Updating')
     tokenCache = await updateCache({
       client,

package/src/services/biWebView.spec.js

@@ -5,7 +5,8 @@ import {
   isBiWebViewConnector,
   fetchContractSynchronizationUrl,
   refreshContracts,
-  fetchExtraOAuthUrlParams
+  fetchExtraOAuthUrlParams,
+  isCacheExpired
 } from './biWebView'
 import ConnectionFlow from '../models/ConnectionFlow'
 import { waitForRealtimeEvent } from './jobUtils'
@@ -330,6 +331,34 @@ describe('refreshContracts', () => {
   })
 })
 
+describe('isCacheExpired', () => {
+  it('should not be marked as expired when userId did not change and cache is not old', () => {
+    const tokenCache = { timestamp: Date.now(), userId: 666 }
+    const biUser = { userId: 666 }
+    expect(isCacheExpired({ tokenCache, biUser })).toBe(false)
+  })
+  it('should be marked as expired when userId did not change and cache is old', () => {
+    const tokenCache = { timestamp: 0, userId: 666 }
+    const biUser = { userId: 666 }
+    expect(isCacheExpired({ tokenCache, biUser })).toBe(true)
+  })
+  it('should be marked as expired when userId did change and cache is old', () => {
+    const tokenCache = { timestamp: 0, userId: 666 }
+    const biUser = { userId: 667 }
+    expect(isCacheExpired({ tokenCache, biUser })).toBe(true)
+  })
+  it('should be marked as expired when userId did change and cache is not old', () => {
+    const tokenCache = { timestamp: Date.now(), userId: 666 }
+    const biUser = { userId: 667 }
+    expect(isCacheExpired({ tokenCache, biUser })).toBe(true)
+  })
+  it('should be marked as expired when cache has no user id', () => {
+    const tokenCache = { timestamp: Date.now() }
+    const biUser = { userId: 666 }
+    expect(isCacheExpired({ tokenCache, biUser })).toBe(true)
+  })
+})
+
 describe('fetchExtraOAuthUrlParams', () => {
   it('should asynchronously fetch BI token', async () => {
     const client = new CozyClient({