Error tweaks and tests.

Author: rkistner

packages/service-core/src/auth/KeyStore.ts

@@ -4,6 +4,7 @@ import secs from '../util/secs.js';
 import { JwtPayload } from './JwtPayload.js';
 import { KeyCollector } from './KeyCollector.js';
 import { KeyOptions, KeySpec, SUPPORTED_ALGORITHMS } from './KeySpec.js';
+import { mapAuthError } from './utils.js';
 
 /**
  * KeyStore to get keys and verify tokens.
@@ -98,16 +99,20 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
 
   private async verifyInternal(token: string, options: jose.JWTVerifyOptions) {
     let keyOptions: KeyOptions | undefined = undefined;
-    const result = await jose.jwtVerify(
-      token,
-      async (header) => {
-        let key = await this.getCachedKey(token, header);
-        keyOptions = key.options;
-        return key.key;
-      },
-      options
-    );
-    return { result, keyOptions: keyOptions! };
+    try {
+      const result = await jose.jwtVerify(
+        token,
+        async (header) => {
+          let key = await this.getCachedKey(token, header);
+          keyOptions = key.options;
+          return key.key;
+        },
+        options
+      );
+      return { result, keyOptions: keyOptions! };
+    } catch (e) {
+      throw mapAuthError(e);
+    }
   }
 
   private async getCachedKey(token: string, header: jose.JWTHeaderParameters): Promise<KeySpec> {

packages/service-core/src/auth/utils.ts

@@ -3,10 +3,20 @@ import * as jose from 'jose';
 
 export function mapJoseError(error: jose.errors.JOSEError): AuthorizationError {
   // TODO: improved message for exp issues, etc
-  if (error.code === 'ERR_JWS_INVALID' || error.code === 'ERR_JWT_INVALID') {
+  if (error.code === jose.errors.JWSInvalid.code || error.code === jose.errors.JWTInvalid.code) {
     throw new AuthorizationError(ErrorCode.PSYNC_S2101, 'Token is not a well-formed JWT. Check the token format.', {
       details: error.message
     });
+  } else if (error.code === jose.errors.JWTClaimValidationFailed.code) {
+    // Example: missing required "sub" claim
+    const claim = (error as jose.errors.JWTClaimValidationFailed).claim;
+    throw new AuthorizationError(
+      ErrorCode.PSYNC_S2101,
+      `JWT payload is missing a required claim ${JSON.stringify(claim)}`,
+      {
+        cause: error
+      }
+    );
   }
   return new AuthorizationError(ErrorCode.PSYNC_S2101, error.message, { cause: error });
 }
@@ -21,7 +31,7 @@ export function mapAuthError(error: any): AuthorizationError {
 }
 
 export function mapJoseConfigError(error: jose.errors.JOSEError): AuthorizationError {
-  return new AuthorizationError(ErrorCode.PSYNC_S2201, error.message, { cause: error });
+  return new AuthorizationError(ErrorCode.PSYNC_S2201, error.message ?? 'Authorization error', { cause: error });
 }
 
 export function mapAuthConfigError(error: any): AuthorizationError {
@@ -30,5 +40,5 @@ export function mapAuthConfigError(error: any): AuthorizationError {
   } else if (error instanceof jose.errors.JOSEError) {
     return mapJoseConfigError(error);
   }
-  return new AuthorizationError(ErrorCode.PSYNC_S2201, error.message, { cause: error });
+  return new AuthorizationError(ErrorCode.PSYNC_S2201, error.message ?? 'Auth configuration error', { cause: error });
 }

packages/service-core/test/src/auth.test.ts

@@ -75,21 +75,21 @@ describe('JWT Auth', () => {
         defaultAudiences: ['other'],
         maxAge: '6m'
       })
-    ).rejects.toThrow('unexpected "aud" claim value');
+    ).rejects.toThrow('[PSYNC_S2105] Unexpected "aud" claim value: "tests"');
 
     await expect(
       store.verifyJwt(signedJwt, {
         defaultAudiences: [],
         maxAge: '6m'
       })
-    ).rejects.toThrow('unexpected "aud" claim value');
+    ).rejects.toThrow('[PSYNC_S2105] Unexpected "aud" claim value: "tests"');
 
     await expect(
       store.verifyJwt(signedJwt, {
         defaultAudiences: ['tests'],
         maxAge: '1m'
       })
-    ).rejects.toThrow('Token must expire in a maximum of');
+    ).rejects.toThrow('[PSYNC_S2104] Token must expire in a maximum of 60 seconds, got 300s');
 
     const signedJwt2 = await new jose.SignJWT({})
       .setProtectedHeader({ alg: 'HS256', kid: 'k1' })
@@ -104,7 +104,7 @@ describe('JWT Auth', () => {
         defaultAudiences: ['tests'],
         maxAge: '5m'
       })
-    ).rejects.toThrow('missing required "sub" claim');
+    ).rejects.toThrow('[PSYNC_S2101] JWT payload is missing a required claim "sub"');
   });
 
   test('Algorithm validation', async () => {
@@ -159,7 +159,7 @@ describe('JWT Auth', () => {
         maxAge: '6m'
       })
     ).rejects.toThrow(
-      'Could not find an appropriate key in the keystore. The key is missing or no key matched the token KID'
+      '[PSYNC_S2101] Could not find an appropriate key in the keystore. The key is missing or no key matched the token KID'
     );
 
     // Wrong kid
@@ -178,7 +178,7 @@ describe('JWT Auth', () => {
         maxAge: '6m'
       })
     ).rejects.toThrow(
-      'Could not find an appropriate key in the keystore. The key is missing or no key matched the token KID'
+      '[PSYNC_S2101] Could not find an appropriate key in the keystore. The key is missing or no key matched the token KID'
     );
 
     // No kid, matches sharedKey2
@@ -255,7 +255,7 @@ describe('JWT Auth', () => {
         defaultAudiences: ['tests'],
         maxAge: '6m'
       })
-    ).rejects.toThrow('unexpected "aud" claim value');
+    ).rejects.toThrow('[PSYNC_S2105] Unexpected "aud" claim value: "tests"');
 
     const signedJwt3 = await new jose.SignJWT({})
       .setProtectedHeader({ alg: 'HS256', kid: 'k1' })
@@ -345,7 +345,7 @@ describe('JWT Auth', () => {
     expect(key.kid).toEqual(publicKeyRSA.kid!);
 
     cached.addTimeForTests(301_000);
-    currentResponse = Promise.reject('refresh failed');
+    currentResponse = Promise.reject(new Error('refresh failed'));
 
     // Uses the promise, refreshes in the background
     let response = await cached.getKeys();
@@ -356,15 +356,16 @@ describe('JWT Auth', () => {
     await cached.addTimeForTests(0);
     response = await cached.getKeys();
     // Still have the cached key, but also have the error
+    console.log('e', response.errors[0]);
     expect(response.keys[0].kid).toEqual(publicKeyRSA.kid!);
-    expect(response.errors[0].message).toMatch('Failed to fetch');
+    expect(response.errors[0].message).toMatch('[PSYNC_S2201] refresh failed');
 
     await cached.addTimeForTests(3601_000);
     response = await cached.getKeys();
 
     // Now the keys have expired, and the request still fails
     expect(response.keys).toEqual([]);
-    expect(response.errors[0].message).toMatch('Failed to fetch');
+    expect(response.errors[0].message).toMatch('[PSYNC_S2201] refresh failed');
 
     currentResponse = Promise.resolve({
       errors: [],