fix(auth): improve token validation & logging

- Added extensive logging
- Improved error handling
- Fixed sub claim type check

Author: fulleni

lib/src/middlewares/authentication_middleware.dart

@@ -17,23 +17,37 @@ import 'package:ht_shared/ht_shared.dart';
 Middleware authenticationProvider() {
   return (handler) {
     return (context) async {
-      // Read the AuthTokenService provided by earlier middleware
-      final tokenService = context.read<AuthTokenService>();
+      print('[AuthMiddleware] Entered.'); // Log 1: Entry
+      AuthTokenService tokenService;
+      try {
+        print('[AuthMiddleware] Attempting to read AuthTokenService...'); // Log 2: Before read
+        tokenService = context.read<AuthTokenService>();
+        print('[AuthMiddleware] Successfully read AuthTokenService.'); // Log 3: After read
+      } catch (e, s) {
+        print('[AuthMiddleware] FAILED to read AuthTokenService: $e\n$s'); // Log Error
+        // Re-throw the error to be caught by the main error handler
+        rethrow;
+      }
       User? user; // Initialize user as null
 
       // Extract the Authorization header
+      print('[AuthMiddleware] Attempting to read Authorization header...'); // Log 4: Before header read
       final authHeader = context.request.headers['Authorization'];
+      print('[AuthMiddleware] Authorization header value: $authHeader'); // Log 5: Header value
 
       if (authHeader != null && authHeader.startsWith('Bearer ')) {
         // Extract the token string
         final token = authHeader.substring(7); // Length of 'Bearer '
+        print('[AuthMiddleware] Extracted Bearer token.'); // Log 6: Token extracted
         try {
+          print('[AuthMiddleware] Attempting to validate token...'); // Log 7: Before validate
           // Validate the token using the service
           user = await tokenService.validateToken(token);
+          print('[AuthMiddleware] Token validation returned: ${user?.id ?? 'null'}'); // Log 8: After validate
           if (user != null) {
-            print('Authentication successful for user: ${user.id}');
+            print('[AuthMiddleware] Authentication successful for user: ${user.id}');
           } else {
-            print('Invalid token provided.');
+            print('[AuthMiddleware] Invalid token provided (validateToken returned null).');
             // Optional: Could throw UnauthorizedException here if *all* routes
             // using this middleware strictly require a valid token.
             // However, providing null allows routes to handle optional auth.
@@ -43,18 +57,19 @@ Middleware authenticationProvider() {
           print('Token validation failed: $e');
           // Let the error propagate if needed, or handle specific cases.
           // For now, we treat validation errors as resulting in no user.
-          user = null;
-        } catch (e) {
+          user = null; // Keep user null if HtHttpException occurred
+        } catch (e, s) {
           // Catch unexpected errors during validation
-          print('Unexpected error during token validation: $e');
-          user = null;
+          print('[AuthMiddleware] Unexpected error during token validation: $e\n$s');
+          user = null; // Keep user null if unexpected error occurred
         }
       } else {
-        print('No valid Authorization header found.');
+        print('[AuthMiddleware] No valid Bearer token found in header.');
       }
 
       // Provide the User object (or null) into the context
       // This makes `context.read<User?>()` available downstream.
+      print('[AuthMiddleware] Providing User (${user?.id ?? 'null'}) to context.'); // Log 9: Before provide
       return handler(context.provide<User?>(() => user));
     };
   };

lib/src/services/jwt_auth_token_service.dart

@@ -82,46 +82,83 @@ class JwtAuthTokenService implements AuthTokenService {
 
   @override
   Future<User?> validateToken(String token) async {
+    print('[validateToken] Attempting to validate token...');
     try {
       // Verify the token's signature and expiry
+      print('[validateToken] Verifying token signature and expiry...');
       final jwt = JWT.verify(token, SecretKey(_secretKey));
+      print('[validateToken] Token verified. Payload: ${jwt.payload}');
 
       // Extract user ID from the subject claim
-      final userId = jwt.payload['sub'] as String?;
-      if (userId == null) {
-        print('Token validation failed: Missing "sub" claim.');
+      final subClaim = jwt.payload['sub'];
+      print(
+        '[validateToken] Extracted "sub" claim: $subClaim '
+        '(Type: ${subClaim.runtimeType})',
+      );
+
+      // Safely attempt to cast to String
+      String? userId;
+      if (subClaim is String) {
+        userId = subClaim;
+        print('[validateToken] "sub" claim successfully cast to String: $userId');
+      } else if (subClaim != null) {
+        print(
+          '[validateToken] WARNING: "sub" claim is not a String. '
+          'Attempting toString().',
+        );
+        // Handle potential non-string types if necessary, or throw error
+        // For now, let's treat non-string sub as an error
+        throw BadRequestException(
+          'Malformed token: "sub" claim is not a String '
+          '(Type: ${subClaim.runtimeType}).',
+        );
+      }
+
+      if (userId == null || userId.isEmpty) {
+        print('[validateToken] Token validation failed: Missing or empty "sub" claim.');
         // Throw specific exception for malformed token
         throw const BadRequestException(
-          'Malformed token: Missing subject claim.',
+          'Malformed token: Missing or empty subject claim.',
         );
       }
 
+      print('[validateToken] Attempting to fetch user with ID: $userId');
       // Fetch the full user object from the repository
       // This ensures the user still exists and is valid
       final user = await _userRepository.read(userId);
-      print('Token validated successfully for user ${user.id}');
+      print('[validateToken] User repository read successful for ID: $userId');
+      print('[validateToken] Token validated successfully for user ${user.id}');
       return user;
-    } on JWTExpiredException {
-      print('Token validation failed: Token expired.');
+    } on JWTExpiredException catch (e, s) {
+      print('[validateToken] CATCH JWTExpiredException: Token expired. $e\n$s');
       // Throw specific exception for expired token
       throw const UnauthorizedException('Token expired.');
-    } on JWTInvalidException catch (e) {
-      print('Token validation failed: Invalid token. Reason: ${e.message}');
+    } on JWTInvalidException catch (e, s) {
+      print(
+        '[validateToken] CATCH JWTInvalidException: Invalid token. '
+        'Reason: ${e.message}\n$s',
+      );
       // Throw specific exception for invalid token signature/format
       throw UnauthorizedException('Invalid token: ${e.message}');
-    } on JWTException catch (e) {
+    } on JWTException catch (e, s) {
       // Use JWTException as the general catch-all
-      print('Token validation failed: JWT Exception. Reason: ${e.message}');
+      print(
+        '[validateToken] CATCH JWTException: General JWT error. '
+        'Reason: ${e.message}\n$s',
+      );
       // Treat other JWT exceptions as invalid tokens
       throw UnauthorizedException('Invalid token: ${e.message}');
-    } on HtHttpException catch (e) {
+    } on HtHttpException catch (e, s) {
       // Handle errors from the user repository (e.g., user not found)
-      print('Token validation failed: Error fetching user $e');
+      print(
+        '[validateToken] CATCH HtHttpException: Error fetching user. '
+        'Type: ${e.runtimeType}, Message: $e\n$s',
+      );
       // Re-throw repository exceptions directly for the error handler
       rethrow;
-    } catch (e) {
+    } catch (e, s) {
       // Catch unexpected errors during validation
-      print('Unexpected error during token validation: $e');
+      print('[validateToken] CATCH UNEXPECTED Exception: $e\n$s');
       // Wrap unexpected errors in a standard exception type
       throw OperationFailedException(
         'Token validation failed unexpectedly: $e',

routes/_middleware.dart

@@ -6,7 +6,7 @@ import 'dart:convert';
 import 'dart:io';
 
 import 'package:dart_frog/dart_frog.dart';
-// import 'package:ht_api/src/middlewares/authentication_middleware.dart';
+import 'package:ht_api/src/middlewares/authentication_middleware.dart';
 import 'package:ht_api/src/middlewares/error_handler.dart';
 import 'package:ht_api/src/registry/model_registry.dart';
 import 'package:ht_api/src/services/auth_service.dart';
@@ -180,25 +180,30 @@ Handler middleware(Handler handler) {
       // No initial user data fixture needed for auth flow typically
     ),
   );
+  print('[MiddlewareSetup] HtDataRepository<User> instantiated.'); // Added log
   // Email Repo (using InMemory)
   const emailRepository = HtEmailRepository(
     emailClient: HtEmailInMemoryClient(),
   );
+  print('[MiddlewareSetup] HtEmailRepository instantiated.'); // Added log
   // Auth Services (using JWT and in-memory implementations)
   // Instantiate the new JWT service, passing its dependencies
   final authTokenService = JwtAuthTokenService(
     userRepository: userRepository,
     uuidGenerator: uuid,
   );
+  print('[MiddlewareSetup] JwtAuthTokenService instantiated.'); // Added log
   final verificationCodeStorageService =
       InMemoryVerificationCodeStorageService();
+  print('[MiddlewareSetup] InMemoryVerificationCodeStorageService instantiated.'); // Added log
   final authService = AuthService(
     userRepository: userRepository,
     authTokenService: authTokenService,
     verificationCodeStorageService: verificationCodeStorageService,
     emailRepository: emailRepository,
     uuidGenerator: uuid,
   );
+  print('[MiddlewareSetup] AuthService instantiated.'); // Added log
 
   // Chain the providers and other middleware
   return handler
@@ -240,7 +245,7 @@ Handler middleware(Handler handler) {
       // --- Core Middleware ---
       .use(requestLogger()) // Basic request logging
       // Apply authenticationProvider to make User? available downstream
-      // .use(authenticationProvider())
+      .use(authenticationProvider())
       // Error handler should generally be last to catch all upstream errors
       .use(errorHandler());
 }