fix: return HTTP 401 for unauthorized mutations and handle expired tokens

clintonlunn · clintonlunn · commit ed71523cf90a · 2026-01-09T10:12:00.000-07:00
diff --git a/src/auth/middleware.ts b/src/auth/middleware.ts
@@ -45,7 +45,9 @@ async function validateTokenAndExtractUser (req: Request): Promise<CustomContext
       }
     } catch (e) {
       logger.error(`Can't verify JWT token ${e.toString() as string}`)
-      throw new Error("Unauthorized. Can't verify JWT token")
+      // Return empty user instead of throwing - allows public queries to work
+      // Mutations will be blocked by graphql-shield permissions
+      return { user: EMTPY_USER }
     }
   }
 
diff --git a/src/auth/permissions.ts b/src/auth/permissions.ts
@@ -1,3 +1,4 @@
+import { GraphQLError } from 'graphql'
 import { allow, and, or, shield } from 'graphql-shield'
 import { isEditor, isMediaOwner, isOwner, isUserAdmin, isValidEmail } from './rules.js'
 
@@ -24,7 +25,13 @@ const permissions = shield({
 },
 {
   allowExternalErrors: true,
-  fallbackRule: allow
+  fallbackRule: allow,
+  fallbackError: new GraphQLError('Not Authorised!', {
+    extensions: {
+      code: 'FORBIDDEN',
+      http: { status: 401 }
+    }
+  })
 })
 
 export default permissions

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,9 @@ async function validateTokenAndExtractUser (req: Request): Promise<CustomContext`
`45`	`45`	`}`
`46`	`46`	`} catch (e) {`
`47`	`47`	logger.error(`Can't verify JWT token ${e.toString() as string}`)
`48`		`- throw new Error("Unauthorized. Can't verify JWT token")`
	`48`	`+ // Return empty user instead of throwing - allows public queries to work`
	`49`	`+ // Mutations will be blocked by graphql-shield permissions`
	`50`	`+ return { user: EMTPY_USER }`
`49`	`51`	`}`
`50`	`52`	`}`
`51`	`53`