fix(controlplane): handle authentication errors correctly (#2354)

Author: pepol

controlplane/src/core/auth-utils.ts

@@ -43,6 +43,12 @@ const pkceMaxAgeSec = 60 * 15; // 15 minutes
 const pkceCodeAlgorithm = 'S256';
 const scope = 'openid profile email';
 
+const axiosStatusValidator = function (status: number): boolean {
+  // All user-level (4xx) errors are handled below by returning `AuthenticationError`.
+  // For any server errors (5xx), we want to surface those separately.
+  return status < 500;
+};
+
 export default class AuthUtils {
   private webUrl: URL;
   private readonly webDomain: string;
@@ -131,6 +137,7 @@ export default class AuthUtils {
       headers: {
         Authorization: `Bearer ${accessToken}`,
       },
+      validateStatus: axiosStatusValidator,
     });
 
     if (res.status !== 200) {
@@ -156,6 +163,7 @@ export default class AuthUtils {
         client_id: this.opts.oauth.clientID,
         scope,
       }),
+      validateStatus: axiosStatusValidator,
     });
 
     if (res.status !== 200) {
@@ -273,6 +281,7 @@ export default class AuthUtils {
         code,
         redirect_uri: this.getRedirectUri({ redirectURL, sso: ssoSlug }),
       }),
+      validateStatus: axiosStatusValidator,
     });
 
     if (resp.status !== 200) {

controlplane/src/core/crypto/jwt.ts

@@ -1,5 +1,7 @@
 import { hkdf, randomFill, randomUUID, subtle } from 'node:crypto';
-import { decodeJwt, EncryptJWT, jwtDecrypt, JWTPayload, jwtVerify, KeyLike, SignJWT } from 'jose';
+import { decodeJwt, EncryptJWT, jwtDecrypt, errors, JWTPayload, jwtVerify, KeyLike, SignJWT } from 'jose';
+import { EnumStatusCode } from '@wundergraph/cosmo-connect/dist/common/common_pb';
+import { AuthenticationError } from '../errors/errors.js';
 import { JWTDecodeParams, JWTEncodeParams } from '../../types/index.js';
 import { base64URLEncode } from '../util.js';
 
@@ -76,10 +78,21 @@ export async function decrypt<Payload = JWTPayload>(params: JWTDecodeParams): Pr
     throw new Error('No token provided');
   }
   const encryptionSecret = await getDerivedEncryptionKey(secret);
-  const { payload } = await jwtDecrypt(token, encryptionSecret, {
-    clockTolerance: 15,
-  });
-  return payload as Payload;
+  try {
+    const { payload } = await jwtDecrypt(token, encryptionSecret, {
+      clockTolerance: 15,
+    });
+    return payload as Payload;
+  } catch (err: any) {
+    if (
+      err instanceof errors.JWTExpired ||
+      err instanceof errors.JWTClaimValidationFailed ||
+      err instanceof errors.JWTInvalid
+    ) {
+      throw new AuthenticationError(EnumStatusCode.ERROR_NOT_AUTHENTICATED, err.message);
+    }
+    throw err;
+  }
 }
 
 /**

controlplane/src/core/services/Keycloak.ts

@@ -1,9 +1,11 @@
-import KeycloakAdminClient from '@keycloak/keycloak-admin-client';
+import KeycloakAdminClient, { NetworkError } from '@keycloak/keycloak-admin-client';
 import { RequiredActionAlias } from '@keycloak/keycloak-admin-client/lib/defs/requiredActionProviderRepresentation.js';
+import { EnumStatusCode } from '@wundergraph/cosmo-connect/dist/common/common_pb';
 import { uid } from 'uid';
 import { FastifyBaseLogger } from 'fastify';
 import { MemberRole } from '../../db/models.js';
 import { organizationRoleEnum } from '../../db/schema.js';
+import { AuthenticationError } from '../errors/errors.js';
 
 export default class Keycloak {
   client: KeycloakAdminClient;
@@ -35,12 +37,19 @@ export default class Keycloak {
   }
 
   public async authenticateClient() {
-    await this.client.auth({
-      grantType: 'password',
-      username: this.adminUser,
-      password: this.adminPassword,
-      clientId: 'admin-cli',
-    });
+    try {
+      await this.client.auth({
+        grantType: 'password',
+        username: this.adminUser,
+        password: this.adminPassword,
+        clientId: 'admin-cli',
+      });
+    } catch (err: any) {
+      if (err instanceof NetworkError) {
+        throw new AuthenticationError(EnumStatusCode.ERROR_NOT_AUTHENTICATED, err.message);
+      }
+      throw err;
+    }
   }
 
   public async roleExists({ realm, roleName }: { realm?: string; roleName: string }): Promise<boolean> {