Skip to content

Commit

Permalink
Merge pull request #1034 from arahmarchak/enhance-jwt-claim-error-mes…
Browse files Browse the repository at this point in the history 
…sages

Handle API authentication errors for the API services
  • Loading branch information
@Annopaolo
Annopaolo authored Jan 16, 2025
2 parents b4c2762 + e7c1eb7 commit e6a0933
Show file tree
Hide file tree
Showing 23 changed files with 757 additions and 130 deletions.
34 changes: 31 additions & 3 deletions apps/astarte_appengine_api/lib/astarte_appengine_api_web/controllers/fallback_controller.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,11 +204,39 @@ defmodule Astarte.AppEngine.APIWeb.FallbackController do
|> render(:"422_unexpected_object_key")
end

# Invalid authorized path
def call(conn, {:error, :invalid_auth_path}) do
conn
|> put_status(:unauthorized)
|> put_view(Astarte.AppEngine.APIWeb.ErrorView)
|> render(:invalid_auth_path)
end

# This is called when no JWT token is present
def auth_error(conn, {:unauthenticated, reason}, _opts) do
_ =
Logger.info("Refusing unauthenticated request: #{inspect(reason)}.", tag: "unauthenticated")
def auth_error(conn, {:unauthenticated, :unauthenticated}, _opts) do
conn
|> put_status(:unauthorized)
|> put_view(Astarte.AppEngine.APIWeb.ErrorView)
|> render(:missing_token)
end

# Invalid JWT token
def auth_error(conn, {:invalid_token, :invalid_token}, _opts) do
conn
|> put_status(:unauthorized)
|> put_view(Astarte.AppEngine.APIWeb.ErrorView)
|> render(:invalid_token)
end

# Path not authorized
def auth_error(conn, {:unauthorized, :authorization_path_not_matched}, _opts) do
conn
|> put_status(:forbidden)
|> put_view(Astarte.AppEngine.APIWeb.ErrorView)
|> render(:authorization_path_not_matched, %{method: conn.method, path: conn.request_path})
end

def auth_error(conn, {:unauthenticated, _reason}, _opts) do
conn
|> put_status(:unauthorized)
|> put_view(Astarte.AppEngine.APIWeb.ErrorView)
Expand Down
24 changes: 24 additions & 0 deletions apps/astarte_appengine_api/lib/astarte_appengine_api_web/views/error_view.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,30 @@ defmodule Astarte.AppEngine.APIWeb.ErrorView do
%{errors: %{detail: "Forbidden"}}
end

def render("missing_token.json", _assigns) do
%{errors: %{detail: "Missing authorization token"}}
end

def render("invalid_token.json", _assigns) do
%{errors: %{detail: "Invalid JWT token"}}
end

def render("invalid_auth_path.json", _assigns) do
%{
errors: %{
detail: "Authorization failed due to an invalid path"
}
}
end

def render("authorization_path_not_matched.json", %{method: method, path: path}) do
%{
errors: %{
detail: "Unauthorized access to #{method} #{path}. Please verify your permissions"
}
}
end

def render("503_cannot_push_to_device.json", _assigns) do
%{errors: %{detail: "Cannot push to device"}}
end
Expand Down
170 changes: 113 additions & 57 deletions apps/astarte_appengine_api/priv/static/astarte_appengine_api.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,11 +136,9 @@ paths:
- 8ZxuSGkU7pggwoomJeXo9g
- k-IFKDPoVzIXUcFkF7U80A
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'/{realm_name}/devices/{device_id}':
parameters:
- name: realm_name
Expand Down Expand Up @@ -176,11 +174,9 @@ paths:
data:
$ref: '#/components/schemas/DeviceStatus'
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Device not found
content:
Expand Down Expand Up @@ -221,11 +217,9 @@ paths:
'400':
description: Bad request
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Device not found.
content:
Expand Down Expand Up @@ -272,11 +266,9 @@ paths:
data:
$ref: '#/components/schemas/DeviceStatus'
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Device not found
content:
Expand Down Expand Up @@ -317,11 +309,9 @@ paths:
'400':
description: Bad request
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Device not found.
content:
Expand Down Expand Up @@ -371,11 +361,9 @@ paths:
- com.test.foo
- com.test.bar
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Device not found.
content:
Expand Down Expand Up @@ -423,11 +411,9 @@ paths:
'200':
description: Success
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Interface not found in introspection or device not found.
content:
Expand Down Expand Up @@ -525,11 +511,9 @@ paths:
'200':
description: Success
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: >-
Path not found or interface not found in introspection or device not
Expand Down Expand Up @@ -588,11 +572,9 @@ paths:
'400':
description: Bad request
'401':
description: Realm doesn't exist or operation not allowed.
content:
'*/*':
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: >-
Endpoint not found or interface not found in introspection or device
Expand Down Expand Up @@ -650,11 +632,9 @@ paths:
'400':
description: Bad request
'401':
description: Realm doesn't exist or operation not allowed.
content:
'*/*':
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: >-
Endpoint not found or interface not found in introspection or device
Expand Down Expand Up @@ -710,11 +690,9 @@ paths:
'204':
description: Success
'401':
description: Realm doesn't exist or operation not allowed.
content:
'*/*':
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: >-
Path not found or interface not found in introspection or device not
Expand Down Expand Up @@ -748,6 +726,8 @@ paths:
$ref: '#/components/responses/IndexGroups'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
post:
tags:
- groups
Expand All @@ -767,6 +747,8 @@ paths:
$ref: '#/components/responses/GroupCreated'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'422':
$ref: '#/components/responses/InvalidGroupConfig'
'/{realm_name}/groups/{group_name}':
Expand All @@ -788,6 +770,8 @@ paths:
$ref: '#/components/responses/GetGroup'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
$ref: '#/components/responses/GroupNotFound'
'/{realm_name}/groups/{group_name}/devices':
Expand All @@ -808,6 +792,8 @@ paths:
$ref: '#/components/responses/IndexGroupDevices'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
$ref: '#/components/responses/GroupNotFound'
post:
Expand All @@ -829,6 +815,8 @@ paths:
description: Success
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
$ref: '#/components/responses/GroupNotFound'
'422':
Expand All @@ -852,6 +840,8 @@ paths:
description: Device removed
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
$ref: '#/components/responses/GroupOrDeviceNotFound'
'/{realm_name}/stats/devices':
Expand All @@ -871,6 +861,8 @@ paths:
$ref: '#/components/responses/GetDevicesStats'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
components:
securitySchemes:
JWT:
Expand Down Expand Up @@ -1000,11 +992,24 @@ components:
group_name:
- is invalid
Unauthorized:
description: Realm doesn't exist or operation not allowed.
description: Token/Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/MissingTokenError'
- $ref: '#/components/schemas/InvalidTokenError'
- $ref: '#/components/schemas/InvalidAuthPathError'
- $ref: '#/components/schemas/UnauthorizedError'
AuthorizationPathNotMatched:
description: Authorization path not matched.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
type: object
properties:
data:
$ref: '#/components/schemas/AuthorizationPathNotMatchedError'
GroupNotFound:
description: Group not found
content:
Expand Down Expand Up @@ -1252,3 +1257,54 @@ components:
example:
errors:
detail: Unauthorized
MissingTokenError:
type: object
properties:
errors:
type: object
properties:
detail:
type: string
description: Short error description
example:
errors:
detail: Missing authorization token

InvalidTokenError:
type: object
properties:
errors:
type: object
properties:
detail:
type: string
description: Short error description
example:
errors:
detail: Invalid JWT token

InvalidAuthPathError:
type: object
properties:
errors:
type: object
properties:
detail:
type: string
description: Short error description
example:
errors:
detail: Authorization failed due to an invalid path

AuthorizationPathNotMatchedError:
type: object
properties:
errors:
type: object
properties:
detail:
type: string
description: Detailed error message including the method and path
example:
errors:
detail: Unauthorized access to GET /api/v1/some_path. Please verify your permissions
Loading

0 comments on commit e6a0933

Please sign in to comment.