From 0a39ed18565ed88cafb145f3bf1f64ef07113ae3 Mon Sep 17 00:00:00 2001 From: Jason Sherman Date: Mon, 11 Mar 2024 11:03:38 -0700 Subject: [PATCH] tweak middleware - catch more errors, throw 401 on invalid token/unauthorized Signed-off-by: Jason Sherman --- app/frontend/tests/unit/components/bcgov/BCGovHeader.spec.js | 2 +- app/src/components/jwtService.js | 4 ++-- app/src/forms/auth/middleware/userAccess.js | 4 ++-- app/tests/unit/forms/auth/middleware/userAccess.spec.js | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/app/frontend/tests/unit/components/bcgov/BCGovHeader.spec.js b/app/frontend/tests/unit/components/bcgov/BCGovHeader.spec.js index 8dd1de1fc..871400376 100644 --- a/app/frontend/tests/unit/components/bcgov/BCGovHeader.spec.js +++ b/app/frontend/tests/unit/components/bcgov/BCGovHeader.spec.js @@ -1,5 +1,5 @@ import { setActivePinia, createPinia } from 'pinia'; -import { flushPromises, mount } from '@vue/test-utils'; +import { mount } from '@vue/test-utils'; import { describe, expect, it } from 'vitest'; import { createRouter, createWebHistory } from 'vue-router'; diff --git a/app/src/components/jwtService.js b/app/src/components/jwtService.js index 9aa999d7c..a25ddc0f7 100644 --- a/app/src/components/jwtService.js +++ b/app/src/components/jwtService.js @@ -39,7 +39,7 @@ class JwtService { } async _verify(token) { - // could throw JWTClaimValidationFailed + // could throw JWTClaimValidationFailed (JOSEError) const { payload } = await jose.jwtVerify(token, JWKS, { issuer: this.issuer, audience: this.audience, @@ -54,7 +54,7 @@ class JwtService { // these claims passed, just return true. return true; } catch (e) { - if (e instanceof jose.errors.JWTClaimValidationFailed) { + if (e instanceof jose.errors.JOSEError) { return false; } else { errorToProblem(SERVICE, e); diff --git a/app/src/forms/auth/middleware/userAccess.js b/app/src/forms/auth/middleware/userAccess.js index e7a0ace06..d3c22e0fd 100644 --- a/app/src/forms/auth/middleware/userAccess.js +++ b/app/src/forms/auth/middleware/userAccess.js @@ -61,7 +61,7 @@ const _getForm = async (currentUser, formId, includeDeleted) => { * attribute so that all downstream middleware and business logic can use it. * * This will fall through if everything is OK. If the Bearer auth is not valid, - * this will produce a 403 error. + * this will produce a 401 error. * * @param {*} req the Express object representing the HTTP request. * @param {*} _res the Express object representing the HTTP response - unused. @@ -74,7 +74,7 @@ const currentUser = async (req, _res, next) => { if (bearerToken) { const ok = await jwtService.validateAccessToken(bearerToken); if (!ok) { - throw new Problem(403, { detail: 'Authorization token is invalid.' }); + throw new Problem(401, { detail: 'Authorization token is invalid.' }); } } diff --git a/app/tests/unit/forms/auth/middleware/userAccess.spec.js b/app/tests/unit/forms/auth/middleware/userAccess.spec.js index 3bb51b516..81e0d8142 100644 --- a/app/tests/unit/forms/auth/middleware/userAccess.spec.js +++ b/app/tests/unit/forms/auth/middleware/userAccess.spec.js @@ -101,7 +101,7 @@ describe('currentUser', () => { expect(service.login).toHaveBeenCalledWith({ token: 'payload' }); }); - it('403s if the token is invalid', async () => { + it('401s if the token is invalid', async () => { const testReq = { headers: { authorization: 'Bearer hjvds0uds', @@ -117,7 +117,7 @@ describe('currentUser', () => { expect(jwtService.validateAccessToken).toHaveBeenCalledWith('bearer-token-value'); expect(service.login).toHaveBeenCalledTimes(0); expect(testReq.currentUser).toEqual(undefined); - expect(nxt).toHaveBeenCalledWith(new Problem(403, { detail: 'Authorization token is invalid.' })); + expect(nxt).toHaveBeenCalledWith(new Problem(401, { detail: 'Authorization token is invalid.' })); }); });