Merge pull request #486 from OpenBeta/fix/auth-401-response

clintonlunn · web-flow · commit f1508b2479cc · 2026-01-09T10:36:31.000-07:00
fix: return HTTP 401 for unauthorized mutations
diff --git a/src/__tests__/bulkImport.test.ts b/src/__tests__/bulkImport.test.ts
@@ -64,26 +64,26 @@ describe('bulkImportAreas', () => {
     await inMemoryDB.close()
   })
 
-  it('should return 403 if no user', async () => {
+  it('should return 401 if no user', async () => {
     const res = await queryAPI({
       app,
       query,
       operationName: 'bulkImportAreas',
       variables: {input: exampleImportData}
     })
-    expect(res.statusCode).toBe(200)
+    expect(res.statusCode).toBe(401)
     expect(res.body.errors[0].message).toBe('Not Authorised!')
   })
 
-  it('should return 403 if user is not an editor', async () => {
+  it('should return 401 if user is not an editor', async () => {
     const res = await queryAPI({
       app,
       userUuid,
       query,
       operationName: 'bulkImportAreas',
       variables: {input: exampleImportData}
     })
-    expect(res.statusCode).toBe(200)
+    expect(res.statusCode).toBe(401)
     expect(res.body.errors[0].message).toBe('Not Authorised!')
   })
 
diff --git a/src/__tests__/organizations.ts b/src/__tests__/organizations.ts
@@ -170,7 +170,7 @@ describe('organizations API', () => {
         roles: ['editor'],
         app
       })
-      expect(response.statusCode).toBe(200)
+      expect(response.statusCode).toBe(401)
       expect(response.body.data.organization).toBeNull()
       expect(response.body.errors[0].message).toBe('Not Authorised!')
     })
diff --git a/src/auth/middleware.ts b/src/auth/middleware.ts
@@ -45,7 +45,9 @@ async function validateTokenAndExtractUser (req: Request): Promise<CustomContext
       }
     } catch (e) {
       logger.error(`Can't verify JWT token ${e.toString() as string}`)
-      throw new Error("Unauthorized. Can't verify JWT token")
+      // Return empty user instead of throwing - allows public queries to work
+      // Mutations will be blocked by graphql-shield permissions
+      return { user: EMTPY_USER }
     }
   }
 
diff --git a/src/auth/permissions.ts b/src/auth/permissions.ts
@@ -1,3 +1,4 @@
+import { GraphQLError } from 'graphql'
 import { allow, and, or, shield } from 'graphql-shield'
 import { isEditor, isMediaOwner, isOwner, isUserAdmin, isValidEmail } from './rules.js'
 
@@ -24,7 +25,13 @@ const permissions = shield({
 },
 {
   allowExternalErrors: true,
-  fallbackRule: allow
+  fallbackRule: allow,
+  fallbackError: new GraphQLError('Not Authorised!', {
+    extensions: {
+      code: 'FORBIDDEN',
+      http: { status: 401 }
+    }
+  })
 })
 
 export default permissions

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,9 @@ async function validateTokenAndExtractUser (req: Request): Promise<CustomContext`
`45`	`45`	`}`
`46`	`46`	`} catch (e) {`
`47`	`47`	logger.error(`Can't verify JWT token ${e.toString() as string}`)
`48`		`- throw new Error("Unauthorized. Can't verify JWT token")`
	`48`	`+ // Return empty user instead of throwing - allows public queries to work`
	`49`	`+ // Mutations will be blocked by graphql-shield permissions`
	`50`	`+ return { user: EMTPY_USER }`
`49`	`51`	`}`
`50`	`52`	`}`
`51`	`53`