Harden redemption flow and improve operational safety

office365_self_service/graph.py

@@ -30,9 +30,29 @@ class TokenManager:
             "client_secret": self.client_secret,
             "scope": self.scope,
         }
-        response = requests.post(self.token_endpoint, data=data, timeout=30)
-        response.raise_for_status()
-        token_data = response.json()
+        try:
+            response = requests.post(self.token_endpoint, data=data, timeout=30)
+            response.raise_for_status()
+        except requests.RequestException as exc:
+            status_code = getattr(getattr(exc, "response", None), "status_code", 0) or 0
+            response_payload = None
+            response_text = ""
+            if getattr(exc, "response", None) is not None:
+                response_text = exc.response.text[:200]
+                try:
+                    response_payload = exc.response.json()
+                except ValueError:
+                    response_payload = None
+            message = "获取访问令牌失败"
+            if response_text:
+                message = f"{message}: {response_text}"
+            raise GraphAPIError(message, status_code=status_code, response=response_payload) from exc
+
+        try:
+            token_data = response.json()
+        except ValueError as exc:
+            raise GraphAPIError("解析访问令牌响应失败", response.status_code) from exc
+
         self._token = token_data["access_token"]
         expires_in = token_data.get("expires_in", 3600)
         self._token_expires_at = time.time() + expires_in
@@ -127,4 +147,4 @@ class GraphClient:
         else:
             payload["addLicenses"] = []
         payload["removeLicenses"] = remove_licenses if remove_licenses else []
-        return self.post(f"/users/{user_id}/assignLicense", json=payload)
+        return self.post(f"/users/{user_id}/assignLicense", json=payload)