chore: address PR comments

gwossum · gwossum · commit b71320eef151 · 2025-11-19T13:30:47.000-06:00
diff --git a/authorization/error.go b/authorization/error.go
@@ -50,12 +50,12 @@ func ErrInvalidAuthIDError(err error) *errors.Error {
 	}
 }
 
-// UnexpectedAuthIndexError is used when the error comes from an internal system.
-func UnexpectedAuthIndexError(err error) *errors.Error {
+// UnexpectedAuthBucketError is used when the error comes from an internal system.
+func UnexpectedAuthBucketError(index []byte, err error) *errors.Error {
 	var e *errors.Error
 	if !errors2.As(err, &e) {
 		e = &errors.Error{
-			Msg:  fmt.Sprintf("unexpected error retrieving auth index; Err: %v", err),
+			Msg:  fmt.Sprintf("unexpected error retrieving auth bucket %q; Err: %v", index, err),
 			Code: errors.EInternal,
 			Err:  err,
 		}
diff --git a/authorization/hasher.go b/authorization/hasher.go
@@ -66,7 +66,7 @@ func NewAuthorizationHasher(opts ...AuthorizationHasherOption) (*AuthorizationHa
 	}
 
 	if len(options.decoderVariants) == 0 {
-		return nil, ErrNoDecoders
+		return nil, fmt.Errorf("error in NewAuthorizationHasher: %w", ErrNoDecoders)
 	}
 
 	// Create the hasher used for hashing new tokens before storage.
diff --git a/authorization/storage.go b/authorization/storage.go
@@ -118,9 +118,9 @@ var (
 )
 
 var (
-	authBucket      = []byte("authorizationsv1")
-	authIndex       = []byte("authorizationindexv1")
-	hashedAuthIndex = []byte("authorizationhashedindexv1")
+	authBucketName      = []byte("authorizationsv1")
+	authIndexName       = []byte("authorizationindexv1")
+	hashedAuthIndexName = []byte("authorizationhashedindexv1")
 )
 
 type Store struct {
@@ -199,13 +199,13 @@ func NewStore(ctx context.Context, kvStore kv.Store, useHashedTokens bool, opts
 	}
 
 	if err := s.setup(ctx); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error during authorization store setup: %w", err)
 	}
 
 	if s.hasher == nil {
 		hasher, err := s.autogenerateHasher(ctx, s.hasherVariantName)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error creating authorization store during autogenerateHasher: %w", err)
 		}
 		s.hasher = hasher
 	}
@@ -334,7 +334,7 @@ func (s *Store) Update(ctx context.Context, fn func(kv.Tx) error) error {
 
 func (s *Store) setup(ctx context.Context) error {
 	return s.View(ctx, func(tx kv.Tx) error {
-		if _, err := tx.Bucket(authBucket); err != nil {
+		if _, err := authBucket(tx); err != nil {
 			return err
 		}
 		if _, err := authIndexBucket(tx); err != nil {
@@ -392,7 +392,7 @@ func (s *Store) uniqueID(ctx context.Context, tx kv.Tx, bucket []byte, id platfo
 		}
 	}
 
-	b, err := tx.Bucket(bucket)
+	b, err := getNamedAuthBucket(tx, bucket)
 	if err != nil {
 		return err
 	}
diff --git a/authorization/storage_authorization.go b/authorization/storage_authorization.go
@@ -24,30 +24,33 @@ var (
 	ErrNoTokenAvailable    = goerrors.New("no token available for authorization")
 )
 
+func getNamedAuthBucket(tx kv.Tx, bucketName []byte) (kv.Bucket, error) {
+	b, err := tx.Bucket(bucketName)
+	if err != nil {
+		return nil, UnexpectedAuthBucketError(bucketName, err)
+	}
+
+	return b, nil
+}
+
+func authBucket(tx kv.Tx) (kv.Bucket, error) {
+	return getNamedAuthBucket(tx, authBucketName)
+}
+
 func authIndexKey(n string) []byte {
 	return []byte(n)
 }
 
 func authIndexBucket(tx kv.Tx) (kv.Bucket, error) {
-	b, err := tx.Bucket([]byte(authIndex))
-	if err != nil {
-		return nil, UnexpectedAuthIndexError(err)
-	}
-
-	return b, nil
+	return getNamedAuthBucket(tx, authIndexName)
 }
 
 func hashedAuthIndexKey(n string) []byte {
 	return []byte(n)
 }
 
 func hashedAuthIndexBucket(tx kv.Tx) (kv.Bucket, error) {
-	b, err := tx.Bucket([]byte(hashedAuthIndex))
-	if err != nil {
-		return nil, UnexpectedAuthIndexError(err)
-	}
-
-	return b, nil
+	return getNamedAuthBucket(tx, hashedAuthIndexName)
 }
 
 func (s *Store) encodeAuthorization(a *influxdb.Authorization) ([]byte, error) {
@@ -58,7 +61,7 @@ func (s *Store) encodeAuthorization(a *influxdb.Authorization) ([]byte, error) {
 	default:
 		return nil, &errors.Error{
 			Code: errors.EInvalid,
-			Msg:  "unknown authorization status",
+			Msg:  "encodeAuthorization: unknown authorization status",
 		}
 	}
 
@@ -73,12 +76,20 @@ func (s *Store) encodeAuthorization(a *influxdb.Authorization) ([]byte, error) {
 		redactedAuth.Token = ""
 		a = &redactedAuth
 	}
-	return json.Marshal(a)
+	if d, err := json.Marshal(a); err == nil {
+		return d, nil
+	} else {
+		return nil, &errors.Error{
+			Code: errors.EInvalid,
+			Msg:  "encodeAuthorization: marshalling error",
+			Err:  err,
+		}
+	}
 }
 
 func decodeAuthorization(b []byte, a *influxdb.Authorization) error {
 	if err := json.Unmarshal(b, a); err != nil {
-		return err
+		return fmt.Errorf("decodeAuthorization: %w", err)
 	}
 	if a.Status == "" {
 		a.Status = influxdb.Active
@@ -97,10 +108,10 @@ func (s *Store) transformToken(a *influxdb.Authorization) error {
 	if a.Token != "" && a.HashedToken != "" {
 		match, err := s.hasher.Match(a.HashedToken, a.Token)
 		if err != nil {
-			return fmt.Errorf("error matching tokens: %w", err)
+			return fmt.Errorf("transformToken: error matching tokens: %w", err)
 		}
 		if !match {
-			return ErrHashedTokenMismatch
+			return fmt.Errorf("transformToken: %w", ErrHashedTokenMismatch)
 		}
 	}
 
@@ -113,7 +124,7 @@ func (s *Store) transformToken(a *influxdb.Authorization) error {
 			// Note that even if a.HashedToken is set, we will regenerate it here. This ensures
 			// that a.HashedToken will be stored using the currently configured hashing algorithm.
 			if hashedToken, err := s.hasher.Hash(a.Token); err != nil {
-				return fmt.Errorf("error hashing token for token %d (%s): %w", a.ID, a.Description, err)
+				return fmt.Errorf("transformToken: error hashing token for token %d (%s): %w", a.ID, a.Description, err)
 			} else {
 				a.HashedToken = hashedToken
 			}
@@ -140,13 +151,13 @@ func (s *Store) CreateAuthorization(ctx context.Context, tx kv.Tx, a *influxdb.A
 
 	// if the provided ID is invalid, or already maps to an existing Auth, then generate a new one
 	if !a.ID.Valid() {
-		id, err := s.generateSafeID(ctx, tx, authBucket)
+		id, err := s.generateSafeID(ctx, tx, authBucketName)
 		if err != nil {
 			return nil
 		}
 		a.ID = id
 	} else if err := uniqueID(ctx, tx, a.ID); err != nil {
-		id, err := s.generateSafeID(ctx, tx, authBucket)
+		id, err := s.generateSafeID(ctx, tx, authBucketName)
 		if err != nil {
 			return nil
 		}
@@ -171,7 +182,7 @@ func (s *Store) GetAuthorizationByID(ctx context.Context, tx kv.Tx, id platform.
 		return nil, ErrInvalidAuthID
 	}
 
-	b, err := tx.Bucket(authBucket)
+	b, err := authBucket(tx)
 	if err != nil {
 		return nil, err
 	}
@@ -329,7 +340,7 @@ func (s *Store) ListAuthorizations(ctx context.Context, tx kv.Tx, f influxdb.Aut
 
 // forEachAuthorization will iterate through all authorizations while fn returns true.
 func (s *Store) forEachAuthorization(ctx context.Context, tx kv.Tx, pred kv.CursorPredicateFunc, fn func(*influxdb.Authorization) bool) error {
-	b, err := tx.Bucket(authBucket)
+	b, err := authBucket(tx)
 	if err != nil {
 		return err
 	}
@@ -402,9 +413,9 @@ func (s *Store) commitAuthorization(ctx context.Context, tx kv.Tx, a *influxdb.A
 		}
 	}
 
-	b, err := tx.Bucket(authBucket)
+	b, err := authBucket(tx)
 	if err != nil {
-		return errors.ErrInternalServiceError(err, errors.WithErrorCode(errors.EInternal))
+		return err // authBucket already wraps the error
 	}
 
 	if err := b.Put(encodedID, v); err != nil {
@@ -429,13 +440,13 @@ func (s *Store) deleteIndices(ctx context.Context, tx kv.Tx, token, hashedToken
 
 	if token != "" {
 		if err := authIdx.Delete([]byte(token)); err != nil {
-			return err
+			return fmt.Errorf("deleteIndices: error deleting from authIndex: %w", err)
 		}
 	}
 
 	if hashedToken != "" {
 		if err := hashedAuthIdx.Delete([]byte(hashedToken)); err != nil {
-			return err
+			return fmt.Errorf("deleteIndices: error deleting from hashedAuthIndex: %w", err)
 		}
 	}
 
@@ -492,7 +503,7 @@ func (s *Store) DeleteAuthorization(ctx context.Context, tx kv.Tx, id platform.I
 		return ErrInvalidAuthID
 	}
 
-	b, err := tx.Bucket(authBucket)
+	b, err := authBucket(tx)
 	if err != nil {
 		return err
 	}
@@ -509,22 +520,23 @@ func (s *Store) DeleteAuthorization(ctx context.Context, tx kv.Tx, id platform.I
 }
 
 func (s *Store) uniqueAuthTokenByIndex(ctx context.Context, tx kv.Tx, index, key []byte) error {
-	err := unique(ctx, tx, index, key)
-	if err == kv.NotUniqueError {
+	if err := unique(ctx, tx, index, key); err == nil {
+		return nil
+	} else if err == kv.NotUniqueError {
 		// by returning a generic error we are trying to hide when
 		// a token is non-unique.
 		return influxdb.ErrUnableToCreateToken
+	} else {
+		// otherwise, this is some sort of internal server error and we
+		// should provide some debugging information.
+		return fmt.Errorf("error in uniqueAuthTokenByIndex for index %q: %w", index, err)
 	}
-
-	// otherwise, this is some sort of internal server error and we
-	// should provide some debugging information.
-	return err
 }
 
 func (s *Store) uniqueAuthToken(ctx context.Context, tx kv.Tx, a *influxdb.Authorization) error {
 	// Check if the raw token is unique.
 	if a.Token != "" {
-		if err := s.uniqueAuthTokenByIndex(ctx, tx, authIndex, authIndexKey(a.Token)); err != nil {
+		if err := s.uniqueAuthTokenByIndex(ctx, tx, authIndexName, authIndexKey(a.Token)); err != nil {
 			return err
 		}
 	}
@@ -544,7 +556,7 @@ func (s *Store) uniqueAuthToken(ctx context.Context, tx kv.Tx, a *influxdb.Autho
 	}
 
 	for _, hashedToken := range allHashedTokens {
-		if err := s.uniqueAuthTokenByIndex(ctx, tx, hashedAuthIndex, hashedAuthIndexKey(hashedToken)); err != nil {
+		if err := s.uniqueAuthTokenByIndex(ctx, tx, hashedAuthIndexName, hashedAuthIndexKey(hashedToken)); err != nil {
 			if !s.ignoreMissingHashIndex || !goerrors.Is(err, kv.ErrBucketNotFound) {
 				return err
 			}
@@ -555,9 +567,9 @@ func (s *Store) uniqueAuthToken(ctx context.Context, tx kv.Tx, a *influxdb.Autho
 }
 
 func unique(ctx context.Context, tx kv.Tx, indexBucket, indexKey []byte) error {
-	bucket, err := tx.Bucket(indexBucket)
+	bucket, err := getNamedAuthBucket(tx, indexBucket)
 	if err != nil {
-		return kv.UnexpectedIndexError(err)
+		return err
 	}
 
 	_, err = bucket.Get(indexKey)
@@ -582,9 +594,9 @@ func uniqueID(ctx context.Context, tx kv.Tx, id platform.ID) error {
 		return ErrInvalidAuthID
 	}
 
-	b, err := tx.Bucket(authBucket)
+	b, err := authBucket(tx)
 	if err != nil {
-		return errors.ErrInternalServiceError(err)
+		return err // authBucket already wraps the error
 	}
 
 	_, err = b.Get(encodedID)
diff --git a/authorization/storage_authorization_test.go b/authorization/storage_authorization_test.go
diff --git a/testing/auth.go b/testing/auth.go

Original file line number	Diff line number	Diff line change
`@@ -50,12 +50,12 @@ func ErrInvalidAuthIDError(err error) *errors.Error {`
`50`	`50`	`}`
`51`	`51`	`}`
`52`	`52`
`53`		`-// UnexpectedAuthIndexError is used when the error comes from an internal system.`
`54`		`-func UnexpectedAuthIndexError(err error) *errors.Error {`
	`53`	`+// UnexpectedAuthBucketError is used when the error comes from an internal system.`
	`54`	`+func UnexpectedAuthBucketError(index []byte, err error) *errors.Error {`
`55`	`55`	`var e *errors.Error`
`56`	`56`	`if !errors2.As(err, &e) {`
`57`	`57`	`e = &errors.Error{`
`58`		`- Msg: fmt.Sprintf("unexpected error retrieving auth index; Err: %v", err),`
	`58`	`+ Msg: fmt.Sprintf("unexpected error retrieving auth bucket %q; Err: %v", index, err),`
`59`	`59`	`Code: errors.EInternal,`
`60`	`60`	`Err: err,`
`61`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ func NewAuthorizationHasher(opts ...AuthorizationHasherOption) (*AuthorizationHa`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`if len(options.decoderVariants) == 0 {`
`69`		`- return nil, ErrNoDecoders`
	`69`	`+ return nil, fmt.Errorf("error in NewAuthorizationHasher: %w", ErrNoDecoders)`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`// Create the hasher used for hashing new tokens before storage.`
Original file line number	Diff line number	Diff line change
`@@ -118,9 +118,9 @@ var (`
`118`	`118`	`)`
`119`	`119`
`120`	`120`	`var (`
`121`		`- authBucket = []byte("authorizationsv1")`
`122`		`- authIndex = []byte("authorizationindexv1")`
`123`		`- hashedAuthIndex = []byte("authorizationhashedindexv1")`
	`121`	`+ authBucketName = []byte("authorizationsv1")`
	`122`	`+ authIndexName = []byte("authorizationindexv1")`
	`123`	`+ hashedAuthIndexName = []byte("authorizationhashedindexv1")`
`124`	`124`	`)`
`125`	`125`
`126`	`126`	`type Store struct {`
`@@ -199,13 +199,13 @@ func NewStore(ctx context.Context, kvStore kv.Store, useHashedTokens bool, opts`
`199`	`199`	`}`
`200`	`200`
`201`	`201`	`if err := s.setup(ctx); err != nil {`
`202`		`- return nil, err`
	`202`	`+ return nil, fmt.Errorf("error during authorization store setup: %w", err)`
`203`	`203`	`}`
`204`	`204`
`205`	`205`	`if s.hasher == nil {`
`206`	`206`	`hasher, err := s.autogenerateHasher(ctx, s.hasherVariantName)`
`207`	`207`	`if err != nil {`
`208`		`- return nil, err`
	`208`	`+ return nil, fmt.Errorf("error creating authorization store during autogenerateHasher: %w", err)`
`209`	`209`	`}`
`210`	`210`	`s.hasher = hasher`
`211`	`211`	`}`
`@@ -334,7 +334,7 @@ func (s *Store) Update(ctx context.Context, fn func(kv.Tx) error) error {`
`334`	`334`
`335`	`335`	`func (s *Store) setup(ctx context.Context) error {`
`336`	`336`	`return s.View(ctx, func(tx kv.Tx) error {`
`337`		`- if _, err := tx.Bucket(authBucket); err != nil {`
	`337`	`+ if _, err := authBucket(tx); err != nil {`
`338`	`338`	`return err`
`339`	`339`	`}`
`340`	`340`	`if _, err := authIndexBucket(tx); err != nil {`
`@@ -392,7 +392,7 @@ func (s *Store) uniqueID(ctx context.Context, tx kv.Tx, bucket []byte, id platfo`
`392`	`392`	`}`
`393`	`393`	`}`
`394`	`394`
`395`		`- b, err := tx.Bucket(bucket)`
	`395`	`+ b, err := getNamedAuthBucket(tx, bucket)`
`396`	`396`	`if err != nil {`
`397`	`397`	`return err`
`398`	`398`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,30 +24,33 @@ var (`
`24`	`24`	`ErrNoTokenAvailable = goerrors.New("no token available for authorization")`
`25`	`25`	`)`
`26`	`26`
	`27`	`+func getNamedAuthBucket(tx kv.Tx, bucketName []byte) (kv.Bucket, error) {`
	`28`	`+ b, err := tx.Bucket(bucketName)`
	`29`	`+ if err != nil {`
	`30`	`+ return nil, UnexpectedAuthBucketError(bucketName, err)`
	`31`	`+ }`
	`32`	`+`
	`33`	`+ return b, nil`
	`34`	`+}`
	`35`	`+`
	`36`	`+func authBucket(tx kv.Tx) (kv.Bucket, error) {`
	`37`	`+ return getNamedAuthBucket(tx, authBucketName)`
	`38`	`+}`
	`39`	`+`
`27`	`40`	`func authIndexKey(n string) []byte {`
`28`	`41`	`return []byte(n)`
`29`	`42`	`}`
`30`	`43`
`31`	`44`	`func authIndexBucket(tx kv.Tx) (kv.Bucket, error) {`
`32`		`- b, err := tx.Bucket([]byte(authIndex))`
`33`		`- if err != nil {`
`34`		`- return nil, UnexpectedAuthIndexError(err)`
`35`		`- }`
`36`		`-`
`37`		`- return b, nil`
	`45`	`+ return getNamedAuthBucket(tx, authIndexName)`
`38`	`46`	`}`
`39`	`47`
`40`	`48`	`func hashedAuthIndexKey(n string) []byte {`
`41`	`49`	`return []byte(n)`
`42`	`50`	`}`
`43`	`51`
`44`	`52`	`func hashedAuthIndexBucket(tx kv.Tx) (kv.Bucket, error) {`
`45`		`- b, err := tx.Bucket([]byte(hashedAuthIndex))`
`46`		`- if err != nil {`
`47`		`- return nil, UnexpectedAuthIndexError(err)`
`48`		`- }`
`49`		`-`
`50`		`- return b, nil`
	`53`	`+ return getNamedAuthBucket(tx, hashedAuthIndexName)`
`51`	`54`	`}`
`52`	`55`
`53`	`56`	`func (s Store) encodeAuthorization(a influxdb.Authorization) ([]byte, error) {`
`@@ -58,7 +61,7 @@ func (s Store) encodeAuthorization(a influxdb.Authorization) ([]byte, error) {`
`58`	`61`	`default:`
`59`	`62`	`return nil, &errors.Error{`
`60`	`63`	`Code: errors.EInvalid,`
`61`		`- Msg: "unknown authorization status",`
	`64`	`+ Msg: "encodeAuthorization: unknown authorization status",`
`62`	`65`	`}`
`63`	`66`	`}`
`64`	`67`
`@@ -73,12 +76,20 @@ func (s Store) encodeAuthorization(a influxdb.Authorization) ([]byte, error) {`
`73`	`76`	`redactedAuth.Token = ""`
`74`	`77`	`a = &redactedAuth`
`75`	`78`	`}`
`76`		`- return json.Marshal(a)`
	`79`	`+ if d, err := json.Marshal(a); err == nil {`
	`80`	`+ return d, nil`
	`81`	`+ } else {`
	`82`	`+ return nil, &errors.Error{`
	`83`	`+ Code: errors.EInvalid,`
	`84`	`+ Msg: "encodeAuthorization: marshalling error",`
	`85`	`+ Err: err,`
	`86`	`+ }`
	`87`	`+ }`
`77`	`88`	`}`
`78`	`89`
`79`	`90`	`func decodeAuthorization(b []byte, a *influxdb.Authorization) error {`
`80`	`91`	`if err := json.Unmarshal(b, a); err != nil {`
`81`		`- return err`
	`92`	`+ return fmt.Errorf("decodeAuthorization: %w", err)`
`82`	`93`	`}`
`83`	`94`	`if a.Status == "" {`
`84`	`95`	`a.Status = influxdb.Active`
`@@ -97,10 +108,10 @@ func (s Store) transformToken(a influxdb.Authorization) error {`
`97`	`108`	`if a.Token != "" && a.HashedToken != "" {`
`98`	`109`	`match, err := s.hasher.Match(a.HashedToken, a.Token)`
`99`	`110`	`if err != nil {`
`100`		`- return fmt.Errorf("error matching tokens: %w", err)`
	`111`	`+ return fmt.Errorf("transformToken: error matching tokens: %w", err)`
`101`	`112`	`}`
`102`	`113`	`if !match {`
`103`		`- return ErrHashedTokenMismatch`
	`114`	`+ return fmt.Errorf("transformToken: %w", ErrHashedTokenMismatch)`
`104`	`115`	`}`
`105`	`116`	`}`
`106`	`117`
`@@ -113,7 +124,7 @@ func (s Store) transformToken(a influxdb.Authorization) error {`
`113`	`124`	`// Note that even if a.HashedToken is set, we will regenerate it here. This ensures`
`114`	`125`	`// that a.HashedToken will be stored using the currently configured hashing algorithm.`
`115`	`126`	`if hashedToken, err := s.hasher.Hash(a.Token); err != nil {`
`116`		`- return fmt.Errorf("error hashing token for token %d (%s): %w", a.ID, a.Description, err)`
	`127`	`+ return fmt.Errorf("transformToken: error hashing token for token %d (%s): %w", a.ID, a.Description, err)`
`117`	`128`	`} else {`
`118`	`129`	`a.HashedToken = hashedToken`
`119`	`130`	`}`
`@@ -140,13 +151,13 @@ func (s Store) CreateAuthorization(ctx context.Context, tx kv.Tx, a influxdb.A`
`140`	`151`
`141`	`152`	`// if the provided ID is invalid, or already maps to an existing Auth, then generate a new one`
`142`	`153`	`if !a.ID.Valid() {`
`143`		`- id, err := s.generateSafeID(ctx, tx, authBucket)`
	`154`	`+ id, err := s.generateSafeID(ctx, tx, authBucketName)`
`144`	`155`	`if err != nil {`
`145`	`156`	`return nil`
`146`	`157`	`}`
`147`	`158`	`a.ID = id`
`148`	`159`	`} else if err := uniqueID(ctx, tx, a.ID); err != nil {`
`149`		`- id, err := s.generateSafeID(ctx, tx, authBucket)`
	`160`	`+ id, err := s.generateSafeID(ctx, tx, authBucketName)`
`150`	`161`	`if err != nil {`
`151`	`162`	`return nil`
`152`	`163`	`}`
`@@ -171,7 +182,7 @@ func (s *Store) GetAuthorizationByID(ctx context.Context, tx kv.Tx, id platform.`
`171`	`182`	`return nil, ErrInvalidAuthID`
`172`	`183`	`}`
`173`	`184`
`174`		`- b, err := tx.Bucket(authBucket)`
	`185`	`+ b, err := authBucket(tx)`
`175`	`186`	`if err != nil {`
`176`	`187`	`return nil, err`
`177`	`188`	`}`
`@@ -329,7 +340,7 @@ func (s *Store) ListAuthorizations(ctx context.Context, tx kv.Tx, f influxdb.Aut`
`329`	`340`
`330`	`341`	`// forEachAuthorization will iterate through all authorizations while fn returns true.`
`331`	`342`	`func (s Store) forEachAuthorization(ctx context.Context, tx kv.Tx, pred kv.CursorPredicateFunc, fn func(influxdb.Authorization) bool) error {`
`332`		`- b, err := tx.Bucket(authBucket)`
	`343`	`+ b, err := authBucket(tx)`
`333`	`344`	`if err != nil {`
`334`	`345`	`return err`
`335`	`346`	`}`
`@@ -402,9 +413,9 @@ func (s Store) commitAuthorization(ctx context.Context, tx kv.Tx, a influxdb.A`
`402`	`413`	`}`
`403`	`414`	`}`
`404`	`415`
`405`		`- b, err := tx.Bucket(authBucket)`
	`416`	`+ b, err := authBucket(tx)`
`406`	`417`	`if err != nil {`
`407`		`- return errors.ErrInternalServiceError(err, errors.WithErrorCode(errors.EInternal))`
	`418`	`+ return err // authBucket already wraps the error`
`408`	`419`	`}`
`409`	`420`
`410`	`421`	`if err := b.Put(encodedID, v); err != nil {`
`@@ -429,13 +440,13 @@ func (s *Store) deleteIndices(ctx context.Context, tx kv.Tx, token, hashedToken`
`429`	`440`
`430`	`441`	`if token != "" {`
`431`	`442`	`if err := authIdx.Delete([]byte(token)); err != nil {`
`432`		`- return err`
	`443`	`+ return fmt.Errorf("deleteIndices: error deleting from authIndex: %w", err)`
`433`	`444`	`}`
`434`	`445`	`}`
`435`	`446`
`436`	`447`	`if hashedToken != "" {`
`437`	`448`	`if err := hashedAuthIdx.Delete([]byte(hashedToken)); err != nil {`
`438`		`- return err`
	`449`	`+ return fmt.Errorf("deleteIndices: error deleting from hashedAuthIndex: %w", err)`
`439`	`450`	`}`
`440`	`451`	`}`
`441`	`452`
`@@ -492,7 +503,7 @@ func (s *Store) DeleteAuthorization(ctx context.Context, tx kv.Tx, id platform.I`
`492`	`503`	`return ErrInvalidAuthID`
`493`	`504`	`}`
`494`	`505`
`495`		`- b, err := tx.Bucket(authBucket)`
	`506`	`+ b, err := authBucket(tx)`
`496`	`507`	`if err != nil {`
`497`	`508`	`return err`
`498`	`509`	`}`
`@@ -509,22 +520,23 @@ func (s *Store) DeleteAuthorization(ctx context.Context, tx kv.Tx, id platform.I`
`509`	`520`	`}`
`510`	`521`
`511`	`522`	`func (s *Store) uniqueAuthTokenByIndex(ctx context.Context, tx kv.Tx, index, key []byte) error {`
`512`		`- err := unique(ctx, tx, index, key)`
`513`		`- if err == kv.NotUniqueError {`
	`523`	`+ if err := unique(ctx, tx, index, key); err == nil {`
	`524`	`+ return nil`
	`525`	`+ } else if err == kv.NotUniqueError {`
`514`	`526`	`// by returning a generic error we are trying to hide when`
`515`	`527`	`// a token is non-unique.`
`516`	`528`	`return influxdb.ErrUnableToCreateToken`
	`529`	`+ } else {`
	`530`	`+ // otherwise, this is some sort of internal server error and we`
	`531`	`+ // should provide some debugging information.`
	`532`	`+ return fmt.Errorf("error in uniqueAuthTokenByIndex for index %q: %w", index, err)`
`517`	`533`	`}`
`518`		`-`
`519`		`- // otherwise, this is some sort of internal server error and we`
`520`		`- // should provide some debugging information.`
`521`		`- return err`
`522`	`534`	`}`
`523`	`535`
`524`	`536`	`func (s Store) uniqueAuthToken(ctx context.Context, tx kv.Tx, a influxdb.Authorization) error {`
`525`	`537`	`// Check if the raw token is unique.`
`526`	`538`	`if a.Token != "" {`
`527`		`- if err := s.uniqueAuthTokenByIndex(ctx, tx, authIndex, authIndexKey(a.Token)); err != nil {`
	`539`	`+ if err := s.uniqueAuthTokenByIndex(ctx, tx, authIndexName, authIndexKey(a.Token)); err != nil {`
`528`	`540`	`return err`
`529`	`541`	`}`
`530`	`542`	`}`
`@@ -544,7 +556,7 @@ func (s Store) uniqueAuthToken(ctx context.Context, tx kv.Tx, a influxdb.Autho`
`544`	`556`	`}`
`545`	`557`
`546`	`558`	`for _, hashedToken := range allHashedTokens {`
`547`		`- if err := s.uniqueAuthTokenByIndex(ctx, tx, hashedAuthIndex, hashedAuthIndexKey(hashedToken)); err != nil {`
	`559`	`+ if err := s.uniqueAuthTokenByIndex(ctx, tx, hashedAuthIndexName, hashedAuthIndexKey(hashedToken)); err != nil {`
`548`	`560`	`if !s.ignoreMissingHashIndex \|\| !goerrors.Is(err, kv.ErrBucketNotFound) {`
`549`	`561`	`return err`
`550`	`562`	`}`
`@@ -555,9 +567,9 @@ func (s Store) uniqueAuthToken(ctx context.Context, tx kv.Tx, a influxdb.Autho`
`555`	`567`	`}`
`556`	`568`
`557`	`569`	`func unique(ctx context.Context, tx kv.Tx, indexBucket, indexKey []byte) error {`
`558`		`- bucket, err := tx.Bucket(indexBucket)`
	`570`	`+ bucket, err := getNamedAuthBucket(tx, indexBucket)`
`559`	`571`	`if err != nil {`
`560`		`- return kv.UnexpectedIndexError(err)`
	`572`	`+ return err`
`561`	`573`	`}`
`562`	`574`
`563`	`575`	`_, err = bucket.Get(indexKey)`
`@@ -582,9 +594,9 @@ func uniqueID(ctx context.Context, tx kv.Tx, id platform.ID) error {`
`582`	`594`	`return ErrInvalidAuthID`
`583`	`595`	`}`
`584`	`596`
`585`		`- b, err := tx.Bucket(authBucket)`
	`597`	`+ b, err := authBucket(tx)`
`586`	`598`	`if err != nil {`
`587`		`- return errors.ErrInternalServiceError(err)`
	`599`	`+ return err // authBucket already wraps the error`
`588`	`600`	`}`
`589`	`601`
`590`	`602`	`_, err = b.Get(encodedID)`