Further tweaks.

rkistner · rkistner · commit c65de5f8ce76 · 2025-05-07T16:11:23.000+02:00
diff --git a/packages/service-core/src/auth/KeyStore.ts b/packages/service-core/src/auth/KeyStore.ts
@@ -50,7 +50,8 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
       clockTolerance: 60,
       // More specific algorithm checking is done when selecting the key to use.
       algorithms: SUPPORTED_ALGORITHMS,
-      requiredClaims: ['aud', 'sub', 'iat', 'exp']
+      // 'aud' presence is checked below, so we can add more details to the error message.
+      requiredClaims: ['sub', 'iat', 'exp']
     });
 
     let audiences = options.defaultAudiences;
@@ -61,8 +62,12 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
 
     const tokenPayload = result.payload;
 
-    let aud = tokenPayload.aud!;
-    if (!Array.isArray(aud)) {
+    let aud = tokenPayload.aud;
+    if (aud == null) {
+      throw new AuthorizationError(ErrorCode.PSYNC_S2105, `JWT payload is missing a required claim "aud"`, {
+        configurationDetails: `Current configuration allows these audience values: ${JSON.stringify(audiences)}`
+      });
+    } else if (!Array.isArray(aud)) {
       aud = [aud];
     }
     if (
@@ -125,6 +130,7 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
         if (key.kid == kid) {
           if (!key.matchesAlgorithm(header.alg)) {
             throw new AuthorizationError(ErrorCode.PSYNC_S2101, `Unexpected token algorithm ${header.alg}`, {
+              configurationDetails: `Key kid: ${key.source.kid}, alg: ${key.source.alg}, kty: ${key.source.kty}`
               // Token details automatically populated elsewhere
             });
           }
diff --git a/packages/service-core/src/auth/RemoteJWKSCollector.ts b/packages/service-core/src/auth/RemoteJWKSCollector.ts
@@ -47,30 +47,43 @@ export class RemoteJWKSCollector implements KeyCollector {
     this.agent = this.resolveAgent();
   }
 
-  async getKeys(): Promise<KeyResult> {
+  private async getJwksData(): Promise<any> {
     const abortController = new AbortController();
     const timeout = setTimeout(() => {
       abortController.abort();
     }, 30_000);
 
-    const res = await fetch(this.url, {
-      method: 'GET',
-      headers: {
-        Accept: 'application/json'
-      },
-      signal: abortController.signal,
-      agent: this.agent
-    });
-
-    if (!res.ok) {
-      throw new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed with ${res.statusText}`, {
-        configurationDetails: `JWKS URL: ${this.url}`
+    try {
+      const res = await fetch(this.url, {
+        method: 'GET',
+        headers: {
+          Accept: 'application/json'
+        },
+        signal: abortController.signal,
+        agent: this.agent
       });
-    }
 
-    const data = (await res.json()) as any;
+      if (!res.ok) {
+        throw new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed with ${res.statusText}`, {
+          configurationDetails: `JWKS URL: ${this.url}`
+        });
+      }
 
-    clearTimeout(timeout);
+      return (await res.json()) as any;
+    } catch (e) {
+      throw new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed`, {
+        configurationDetails: `JWKS URL: ${this.url}`,
+        // This covers most cases of FetchError
+        // `cause: e` could lose the error message
+        cause: { message: e.message, code: e.code }
+      });
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+
+  async getKeys(): Promise<KeyResult> {
+    const data = await this.getJwksData();
 
     // https://github.com/panva/jose/blob/358e864a0cccf1e0f9928a959f91f18f3f06a7de/src/jwks/local.ts#L36
     if (
@@ -81,7 +94,7 @@ export class RemoteJWKSCollector implements KeyCollector {
       return {
         keys: [],
         errors: [
-          new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed with ${res.statusText}`, {
+          new AuthorizationError(ErrorCode.PSYNC_S2204, `Invalid JWKS response`, {
             configurationDetails: `JWKS URL: ${this.url}. Response:\n${JSON.stringify(data, null, 2)}`
           })
         ]
diff --git a/packages/service-core/test/src/auth.test.ts b/packages/service-core/test/src/auth.test.ts
@@ -308,7 +308,7 @@ describe('JWT Auth', () => {
         reject_ip_ranges: ['local']
       }
     });
-    await expect(invalid.getKeys()).rejects.toThrow('IPs in this range are not supported');
+    await expect(invalid.getKeys()).rejects.toThrow('[PSYNC_S2204] JWKS request failed');
 
     // IPs throw an error immediately
     expect(
diff --git a/packages/service-errors/src/errors.ts b/packages/service-errors/src/errors.ts
@@ -181,7 +181,7 @@ export class AuthorizationError extends ServiceError {
       status: 401,
       description
     });
-    this.cause = this.cause;
+    this.cause = options?.cause;
     this.tokenDetails = options?.tokenDetails;
     this.configurationDetails = options?.configurationDetails;
   }

Original file line number	Diff line number	Diff line change
`@@ -308,7 +308,7 @@ describe('JWT Auth', () => {`
`308`	`308`	`reject_ip_ranges: ['local']`
`309`	`309`	`}`
`310`	`310`	`});`
`311`		`- await expect(invalid.getKeys()).rejects.toThrow('IPs in this range are not supported');`
	`311`	`+ await expect(invalid.getKeys()).rejects.toThrow('[PSYNC_S2204] JWKS request failed');`
`312`	`312`
`313`	`313`	`// IPs throw an error immediately`
`314`	`314`	`expect(`
Original file line number	Diff line number	Diff line change
`@@ -181,7 +181,7 @@ export class AuthorizationError extends ServiceError {`
`181`	`181`	`status: 401,`
`182`	`182`	`description`
`183`	`183`	`});`
`184`		`- this.cause = this.cause;`
	`184`	`+ this.cause = options?.cause;`
`185`	`185`	`this.tokenDetails = options?.tokenDetails;`
`186`	`186`	`this.configurationDetails = options?.configurationDetails;`
`187`	`187`	`}`