tweak middleware - catch more errors, throw 401 on invalid token/unau…

…thorized Signed-off-by: Jason Sherman <[email protected]>
usingtechnology · Mar 11, 2024 · 0a39ed1 · 0a39ed1
1 parent cafc838
commit 0a39ed1
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/app/frontend/tests/unit/components/bcgov/BCGovHeader.spec.js b/app/frontend/tests/unit/components/bcgov/BCGovHeader.spec.js
@@ -1,5 +1,5 @@
 import { setActivePinia, createPinia } from 'pinia';
-import { flushPromises, mount } from '@vue/test-utils';
+import { mount } from '@vue/test-utils';
 import { describe, expect, it } from 'vitest';
 import { createRouter, createWebHistory } from 'vue-router';
 

diff --git a/app/src/components/jwtService.js b/app/src/components/jwtService.js
@@ -39,7 +39,7 @@ class JwtService {
   }
 
   async _verify(token) {
-    // could throw JWTClaimValidationFailed
+    // could throw JWTClaimValidationFailed (JOSEError)
     const { payload } = await jose.jwtVerify(token, JWKS, {
       issuer: this.issuer,
       audience: this.audience,
@@ -54,7 +54,7 @@ class JwtService {
       // these claims passed, just return true.
       return true;
     } catch (e) {
-      if (e instanceof jose.errors.JWTClaimValidationFailed) {
+      if (e instanceof jose.errors.JOSEError) {
         return false;
       } else {
         errorToProblem(SERVICE, e);

diff --git a/app/src/forms/auth/middleware/userAccess.js b/app/src/forms/auth/middleware/userAccess.js
@@ -61,7 +61,7 @@ const _getForm = async (currentUser, formId, includeDeleted) => {
  * attribute so that all downstream middleware and business logic can use it.
  *
  * This will fall through if everything is OK. If the Bearer auth is not valid,
- * this will produce a 403 error.
+ * this will produce a 401 error.
  *
  * @param {*} req the Express object representing the HTTP request.
  * @param {*} _res the Express object representing the HTTP response - unused.
@@ -74,7 +74,7 @@ const currentUser = async (req, _res, next) => {
     if (bearerToken) {
       const ok = await jwtService.validateAccessToken(bearerToken);
       if (!ok) {
-        throw new Problem(403, { detail: 'Authorization token is invalid.' });
+        throw new Problem(401, { detail: 'Authorization token is invalid.' });
       }
     }
 

diff --git a/app/tests/unit/forms/auth/middleware/userAccess.spec.js b/app/tests/unit/forms/auth/middleware/userAccess.spec.js
@@ -101,7 +101,7 @@ describe('currentUser', () => {
     expect(service.login).toHaveBeenCalledWith({ token: 'payload' });
   });
 
-  it('403s if the token is invalid', async () => {
+  it('401s if the token is invalid', async () => {
     const testReq = {
       headers: {
         authorization: 'Bearer hjvds0uds',
@@ -117,7 +117,7 @@ describe('currentUser', () => {
     expect(jwtService.validateAccessToken).toHaveBeenCalledWith('bearer-token-value');
     expect(service.login).toHaveBeenCalledTimes(0);
     expect(testReq.currentUser).toEqual(undefined);
-    expect(nxt).toHaveBeenCalledWith(new Problem(403, { detail: 'Authorization token is invalid.' }));
+    expect(nxt).toHaveBeenCalledWith(new Problem(401, { detail: 'Authorization token is invalid.' }));
   });
 });