Populate token details in error logs.

Author: rkistner

packages/service-core/src/auth/KeyStore.ts

@@ -73,7 +73,7 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
       throw new AuthorizationError(
         ErrorCode.PSYNC_S2105,
         `Unexpected "aud" claim value: ${JSON.stringify(tokenPayload.aud)}`,
-        { sensitiveDetails: `Current configuration allows these audience values: ${JSON.stringify(audiences)}` }
+        { configurationDetails: `Current configuration allows these audience values: ${JSON.stringify(audiences)}` }
       );
     }
 
@@ -111,7 +111,7 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
       );
       return { result, keyOptions: keyOptions! };
     } catch (e) {
-      throw mapAuthError(e);
+      throw mapAuthError(e, token);
     }
   }
 
@@ -125,7 +125,7 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
         if (key.kid == kid) {
           if (!key.matchesAlgorithm(header.alg)) {
             throw new AuthorizationError(ErrorCode.PSYNC_S2101, `Unexpected token algorithm ${header.alg}`, {
-              sensitiveDetails: `Key kid: ${key.source.kid}, alg: ${key.source.alg}, kty: ${key.source.kty}`
+              // Token details automatically populated elsewhere
             });
           }
           return key;
@@ -163,7 +163,8 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
         ErrorCode.PSYNC_S2101,
         'Could not find an appropriate key in the keystore. The key is missing or no key matched the token KID',
         {
-          sensitiveDetails: `Token kid: ${kid}, token algorithm: ${header.alg}, known kid values: ${keys.map((key) => key.kid ?? '*').join(', ')}`
+          configurationDetails: `Known kid values: ${keys.map((key) => key.kid ?? '*').join(', ')}`
+          // tokenDetails automatically populated later
         }
       );
     }

packages/service-core/src/auth/RemoteJWKSCollector.ts

@@ -64,7 +64,7 @@ export class RemoteJWKSCollector implements KeyCollector {
 
     if (!res.ok) {
       throw new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed with ${res.statusText}`, {
-        sensitiveDetails: `JWKS URL: ${this.url}`
+        configurationDetails: `JWKS URL: ${this.url}`
       });
     }
 
@@ -82,7 +82,7 @@ export class RemoteJWKSCollector implements KeyCollector {
         keys: [],
         errors: [
           new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed with ${res.statusText}`, {
-            sensitiveDetails: `JWKS URL: ${this.url}. Response:\n${JSON.stringify(data, null, 2)}`
+            configurationDetails: `JWKS URL: ${this.url}. Response:\n${JSON.stringify(data, null, 2)}`
           })
         ]
       };

packages/service-core/src/auth/utils.ts

@@ -1,33 +1,45 @@
 import { AuthorizationError, ErrorCode } from '@powersync/lib-services-framework';
 import * as jose from 'jose';
 
-export function mapJoseError(error: jose.errors.JOSEError): AuthorizationError {
-  // TODO: improved message for exp issues, etc
+export function mapJoseError(error: jose.errors.JOSEError, token: string): AuthorizationError {
+  const tokenDetails = tokenDebugDetails(token);
   if (error.code === jose.errors.JWSInvalid.code || error.code === jose.errors.JWTInvalid.code) {
-    throw new AuthorizationError(ErrorCode.PSYNC_S2101, 'Token is not a well-formed JWT. Check the token format.', {
-      details: error.message
+    return new AuthorizationError(ErrorCode.PSYNC_S2101, 'Token is not a well-formed JWT. Check the token format.', {
+      tokenDetails,
+      cause: error
     });
   } else if (error.code === jose.errors.JWTClaimValidationFailed.code) {
-    // Example: missing required "sub" claim
+    // Jose message: missing required "sub" claim
     const claim = (error as jose.errors.JWTClaimValidationFailed).claim;
-    throw new AuthorizationError(
+    return new AuthorizationError(
       ErrorCode.PSYNC_S2101,
       `JWT payload is missing a required claim ${JSON.stringify(claim)}`,
       {
-        cause: error
+        cause: error,
+        tokenDetails
       }
     );
+  } else if (error.code == jose.errors.JWTExpired.code) {
+    // Jose message: "exp" claim timestamp check failed
+    return new AuthorizationError(ErrorCode.PSYNC_S2103, `JWT has expired`, {
+      cause: error,
+      tokenDetails
+    });
   }
   return new AuthorizationError(ErrorCode.PSYNC_S2101, error.message, { cause: error });
 }
 
-export function mapAuthError(error: any): AuthorizationError {
+export function mapAuthError(error: any, token: string): AuthorizationError {
   if (error instanceof AuthorizationError) {
+    error.tokenDetails ??= tokenDebugDetails(token);
     return error;
   } else if (error instanceof jose.errors.JOSEError) {
-    return mapJoseError(error);
+    return mapJoseError(error, token);
   }
-  return new AuthorizationError(ErrorCode.PSYNC_S2101, error.message, { cause: error });
+  return new AuthorizationError(ErrorCode.PSYNC_S2101, error.message, {
+    cause: error,
+    tokenDetails: tokenDebugDetails(token)
+  });
 }
 
 export function mapJoseConfigError(error: jose.errors.JOSEError): AuthorizationError {
@@ -42,3 +54,49 @@ export function mapAuthConfigError(error: any): AuthorizationError {
   }
   return new AuthorizationError(ErrorCode.PSYNC_S2201, error.message ?? 'Auth configuration error', { cause: error });
 }
+
+/**
+ * Decode token for debugging purposes.
+ *
+ * We use this to add details to our logs. We don't log the entire token, since it may for example
+ * a password incorrectly used as a token.
+ */
+function tokenDebugDetails(token: string): string {
+  try {
+    // For valid tokens, we return the header and payload
+    const header = jose.decodeProtectedHeader(token);
+    const payload = jose.decodeJwt(token);
+    return `<header: ${JSON.stringify(header)} payload: ${JSON.stringify(payload)}>`;
+  } catch (e) {
+    // Token fails to parse. Return some details.
+    return invalidTokenDetails(token);
+  }
+}
+
+function invalidTokenDetails(token: string): string {
+  const parts = token.split('.');
+  if (parts.length !== 3) {
+    return `<token with ${parts.length} parts (needs 3), length=${token.length}>`;
+  }
+
+  const [headerB64, payloadB64, signatureB64] = parts;
+
+  try {
+    JSON.parse(Buffer.from(headerB64, 'base64url').toString('utf8'));
+  } catch (e) {
+    return `<token with unparsable header>`;
+  }
+
+  try {
+    JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf8'));
+  } catch (e) {
+    return `<token with unparsable payload>`;
+  }
+  try {
+    Buffer.from(signatureB64, 'base64url');
+  } catch (e) {
+    return `<token with unparsable signature>`;
+  }
+
+  return `<invalid JWT, length=${token.length}>`;
+}

packages/service-core/src/routes/auth.ts

@@ -141,7 +141,7 @@ export async function generateContext(serviceContext: ServiceContext, token: str
   } catch (err) {
     return {
       context: null,
-      tokenError: auth.mapAuthError(err)
+      tokenError: auth.mapAuthError(err, token)
     };
   }
 }

packages/service-core/test/src/auth.test.ts

@@ -105,6 +105,24 @@ describe('JWT Auth', () => {
         maxAge: '5m'
       })
     ).rejects.toThrow('[PSYNC_S2101] JWT payload is missing a required claim "sub"');
+
+    // expired token
+    const d = Math.round(Date.now() / 1000);
+    const signedJwt3 = await new jose.SignJWT({})
+      .setProtectedHeader({ alg: 'HS256', kid: 'k1' })
+      .setSubject('f1')
+      .setIssuedAt(d - 500)
+      .setIssuer('tester')
+      .setAudience('tests')
+      .setExpirationTime(d - 400)
+      .sign(signKey);
+
+    await expect(
+      store.verifyJwt(signedJwt3, {
+        defaultAudiences: ['tests'],
+        maxAge: '5m'
+      })
+    ).rejects.toThrow('[PSYNC_S2103] JWT has expired');
   });
 
   test('Algorithm validation', async () => {
@@ -356,7 +374,6 @@ describe('JWT Auth', () => {
     await cached.addTimeForTests(0);
     response = await cached.getKeys();
     // Still have the cached key, but also have the error
-    console.log('e', response.errors[0]);
     expect(response.keys[0].kid).toEqual(publicKeyRSA.kid!);
     expect(response.errors[0].message).toMatch('[PSYNC_S2201] refresh failed');
 

packages/service-errors/src/errors.ts

@@ -160,18 +160,30 @@ export class ReplicationAbortedError extends ServiceError {
 }
 
 export class AuthorizationError extends ServiceError {
+  /**
+   * String describing the token. Does not contain the full token, but may help with debugging.
+   * Safe for logs.
+   */
+  tokenDetails: string | undefined;
+  /**
+   * String describing related configuration. Should never be returned to the client.
+   * Safe for logs.
+   */
+  configurationDetails: string | undefined;
+
   constructor(
     code: ErrorCode,
     description: string,
-    options?: Partial<ErrorData> & { sensitiveDetails?: string; cause?: any }
+    options?: { tokenDetails?: string; configurationDetails?: string; cause?: any }
   ) {
     super({
       code,
       status: 401,
-      description,
-      ...options
+      description
     });
     this.cause = this.cause;
+    this.tokenDetails = options?.tokenDetails;
+    this.configurationDetails = options?.configurationDetails;
   }
 }