Restructure auth errors.

rkistner · rkistner · commit a438f76711bd · 2025-05-07T13:10:58.000+02:00
diff --git a/libs/lib-services/src/router/endpoint.ts b/libs/lib-services/src/router/endpoint.ts
@@ -16,7 +16,10 @@ export const executeEndpoint = async <I, O, C, P extends EndpointHandlerPayload<
   }
   const authorizer_response = await endpoint.authorize?.(payload);
   if (authorizer_response && !authorizer_response.authorized) {
-    throw new errors.AuthorizationError(authorizer_response.errors);
+    if (authorizer_response.error == null) {
+      throw new errors.AuthorizationError2(errors.ErrorCode.PSYNC_S2101, 'Authorization failed');
+    }
+    throw authorizer_response.error;
   }
 
   return endpoint.handler(payload);
diff --git a/libs/lib-services/src/router/router-definitions.ts b/libs/lib-services/src/router/router-definitions.ts
@@ -1,3 +1,4 @@
+import { ServiceError } from '@powersync/service-errors';
 import { MicroValidator } from '../schema/definitions.js';
 
 /**
@@ -22,7 +23,7 @@ export type AuthorizationResponse =
     }
   | {
       authorized: false;
-      errors?: any[];
+      error?: ServiceError | undefined;
     };
 
 /**
diff --git a/packages/rsocket-router/src/router/ReactiveSocketRouter.ts b/packages/rsocket-router/src/router/ReactiveSocketRouter.ts
@@ -3,7 +3,7 @@
  * to expose reactive websocket stream in an interface similar to
  * other Journey micro routers.
  */
-import { errors, logger } from '@powersync/lib-services-framework';
+import { ErrorCode, errors, logger } from '@powersync/lib-services-framework';
 import * as http from 'http';
 import { Payload, RSocketServer } from 'rsocket-core';
 import * as ws from 'ws';
@@ -166,7 +166,9 @@ export async function handleReactiveStream<Context>(
       responder
     });
     if (!isAuthorized.authorized) {
-      return exitWithError(new errors.AuthorizationError(isAuthorized.errors));
+      return exitWithError(
+        isAuthorized.error ?? new errors.AuthorizationError2(ErrorCode.PSYNC_S2101, 'Authorization failed')
+      );
     }
   }
 
diff --git a/packages/service-core/src/routes/auth.ts b/packages/service-core/src/routes/auth.ts
@@ -4,6 +4,7 @@ import * as auth from '../auth/auth-index.js';
 import { ServiceContext } from '../system/ServiceContext.js';
 import * as util from '../util/util-index.js';
 import { BasicRouterRequest, Context, RequestEndpointHandlerPayload } from './router.js';
+import { AuthorizationError2, AuthorizationResponse, ErrorCode, ServiceError } from '@powersync/lib-services-framework';
 
 export function endpoint(req: BasicRouterRequest) {
   const protocol = req.headers['x-forwarded-proto'] ?? req.protocol;
@@ -95,25 +96,25 @@ export function getTokenFromHeader(authHeader: string = ''): string | null {
   return token ?? null;
 }
 
-export const authUser = async (payload: RequestEndpointHandlerPayload) => {
+export const authUser = async (payload: RequestEndpointHandlerPayload): Promise<AuthorizationResponse> => {
   return authorizeUser(payload.context, payload.request.headers.authorization as string);
 };
 
-export async function authorizeUser(context: Context, authHeader: string = '') {
+export async function authorizeUser(context: Context, authHeader: string = ''): Promise<AuthorizationResponse> {
   const token = getTokenFromHeader(authHeader);
   if (token == null) {
     return {
       authorized: false,
-      errors: ['Authentication required']
+      error: new AuthorizationError2(ErrorCode.PSYNC_S2115, 'Authentication required')
     };
   }
 
-  const { context: tokenContext, errors } = await generateContext(context.service_context, token);
+  const { context: tokenContext, tokenError } = await generateContext(context.service_context, token);
 
   if (!tokenContext) {
     return {
       authorized: false,
-      errors
+      error: tokenError
     };
   }
 
@@ -138,10 +139,20 @@ export async function generateContext(serviceContext: ServiceContext, token: str
       }
     };
   } catch (err) {
-    return {
-      context: null,
-      errors: [err.message]
-    };
+    if (err instanceof ServiceError) {
+      return {
+        context: null,
+        tokenError: err
+      };
+    } else {
+      return {
+        context: null,
+        tokenError: new AuthorizationError2(ErrorCode.PSYNC_S2101, 'Authentication error', {
+          details: err.message,
+          cause: err
+        })
+      };
+    }
   }
 }
 
diff --git a/packages/service-core/src/routes/configure-rsocket.ts b/packages/service-core/src/routes/configure-rsocket.ts
@@ -1,7 +1,7 @@
 import { deserialize } from 'bson';
 import * as http from 'http';
 
-import { errors, logger } from '@powersync/lib-services-framework';
+import { ErrorCode, errors, logger } from '@powersync/lib-services-framework';
 import { ReactiveSocketRouter, RSocketRequestMeta } from '@powersync/service-rsocket-router';
 
 import { ServiceContext } from '../system/ServiceContext.js';
@@ -22,19 +22,19 @@ export function configureRSocket(router: ReactiveSocketRouter<Context>, options:
   const { route_generators = DEFAULT_SOCKET_ROUTES, server, service_context } = options;
 
   router.applyWebSocketEndpoints(server, {
-    contextProvider: async (data: Buffer) => {
+    contextProvider: async (data: Buffer): Promise<Context & { token: string }> => {
       const { token, user_agent } = RSocketContextMeta.decode(deserialize(data) as any);
 
       if (!token) {
-        throw new errors.AuthorizationError('No token provided');
+        throw new errors.AuthorizationError2(ErrorCode.PSYNC_S2115, 'No token provided');
       }
 
       try {
         const extracted_token = getTokenFromHeader(token);
         if (extracted_token != null) {
-          const { context, errors: token_errors } = await generateContext(options.service_context, extracted_token);
+          const { context, tokenError } = await generateContext(options.service_context, extracted_token);
           if (context?.token_payload == null) {
-            throw new errors.AuthorizationError(token_errors ?? 'Authentication required');
+            throw new errors.AuthorizationError2(ErrorCode.PSYNC_S2115, 'Authentication required');
           }
 
           if (!service_context.routerEngine) {
@@ -45,11 +45,12 @@ export function configureRSocket(router: ReactiveSocketRouter<Context>, options:
             token,
             user_agent,
             ...context,
-            token_errors: token_errors,
+            token_error: tokenError,
             service_context: service_context as RouterServiceContext
           };
         } else {
-          throw new errors.AuthorizationError('No token provided');
+          // Token field is present, but did not contain a token.
+          throw new errors.AuthorizationError2(ErrorCode.PSYNC_S2115, 'No valid token provided');
         }
       } catch (ex) {
         logger.error(ex);
diff --git a/packages/service-core/src/routes/router.ts b/packages/service-core/src/routes/router.ts
@@ -1,4 +1,4 @@
-import { router } from '@powersync/lib-services-framework';
+import { router, ServiceError } from '@powersync/lib-services-framework';
 import type { JwtPayload } from '../auth/auth-index.js';
 import { ServiceContext } from '../system/ServiceContext.js';
 import { RouterEngine } from './RouterEngine.js';
@@ -16,7 +16,7 @@ export type Context = {
   service_context: RouterServiceContext;
 
   token_payload?: JwtPayload;
-  token_errors?: string[];
+  token_error?: ServiceError;
   /**
    * Only on websocket endpoints.
    */
diff --git a/packages/service-errors/src/codes.ts b/packages/service-errors/src/codes.ts
@@ -306,6 +306,39 @@ export enum ErrorCode {
    */
   PSYNC_S2101 = 'PSYNC_S2101',
 
+  /**
+   * Could not verify the auth token signature.
+   *
+   * Typical causes include:
+   * 1. Token kid is not found in the keystore.
+   * 2. Signature does not match the kid in the keystore.
+   */
+  PSYNC_S2111 = 'PSYNC_S2111',
+
+  /**
+   * Token has expired. Check the expiry date on the token.
+   */
+  PSYNC_S2112 = 'PSYNC_S2112',
+
+  /**
+   * Token expiration date is too long. Issue shorter-lived tokens.
+   */
+  PSYNC_S2113 = 'PSYNC_S2113',
+
+  /**
+   * Token audience does not match expected values.
+   *
+   * Check the aud value on the token, compared to the audience values allowed in the service config.
+   */
+  PSYNC_S2114 = 'PSYNC_S2114',
+
+  /**
+   * No token provided. An auth token is required for every request.
+   *
+   * The Auhtorization header must start with "Token" or "Bearer", followed by the JWT.
+   */
+  PSYNC_S2115 = 'PSYNC_S2115',
+
   // ## PSYNC_S22xx: Auth integration errors
 
   /**
diff --git a/packages/service-errors/src/errors.ts b/packages/service-errors/src/errors.ts
@@ -172,6 +172,22 @@ export class AuthorizationError extends ServiceError {
   }
 }
 
+export class AuthorizationError2 extends ServiceError {
+  constructor(
+    code: ErrorCode,
+    description: string,
+    options?: Partial<ErrorData> & { sensitiveDetails?: string; cause?: any }
+  ) {
+    super({
+      code,
+      status: 401,
+      description,
+      ...options
+    });
+    this.cause = this.cause;
+  }
+}
+
 export class InternalServerError extends ServiceError {
   static readonly CODE = ErrorCode.PSYNC_S2001;
 

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,10 @@ export const executeEndpoint = async <I, O, C, P extends EndpointHandlerPayload<`
`16`	`16`	`}`
`17`	`17`	`const authorizer_response = await endpoint.authorize?.(payload);`
`18`	`18`	`if (authorizer_response && !authorizer_response.authorized) {`
`19`		`- throw new errors.AuthorizationError(authorizer_response.errors);`
	`19`	`+ if (authorizer_response.error == null) {`
	`20`	`+ throw new errors.AuthorizationError2(errors.ErrorCode.PSYNC_S2101, 'Authorization failed');`
	`21`	`+ }`
	`22`	`+ throw authorizer_response.error;`
`20`	`23`	`}`
`21`	`24`
`22`	`25`	`return endpoint.handler(payload);`