fix: errors

annahassel · annahassel · commit c3a2a32ffc48 · 2022-07-20T12:07:20.000+03:00
diff --git a/package.json b/package.json
@@ -98,7 +98,7 @@
     "serialize-error": "^8.1.0",
     "serialize-javascript": "^6.0.0",
     "tough-cookie": "^4.0.0",
-    "undici": "^5.0.0",
+    "undici": "^5.8.0",
     "uuid": "^8.3.2",
     "yargs": "^17.4.0",
     "zxcvbn": "^4.4.2"
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/actions/oauth/upgrade.js b/src/actions/oauth/upgrade.js
@@ -20,7 +20,7 @@ const appleStrategy = require('../../auth/oauth/strategies/apple');
  * @apiParam (Payload) {String} isStatelessAuth - use stateless JWT tokens when they are optional
  */
 async function upgrade(request) {
-  const { transportRequest, params, query } = request;
+  const { transportRequest, params, query, log } = request;
   const { provider, token, isStatelessAuth } = params;
 
   // fetch settings, otherwise provider is not supported
@@ -39,10 +39,13 @@ async function upgrade(request) {
 
   const credentials = provider === 'apple'
     ? await appleStrategy.upgradeAppleCode({
-      query,
-      providerSettings,
-      code: token,
-      redirectUrl: transportRequest.url.href.replace(/\/upgrade$/, '/apple').replace(/^http:\/\//, 'https://'),
+      log,
+      params: {
+        query,
+        providerSettings,
+        code: token,
+        redirectUrl: transportRequest.url.href.replace(/\/upgrade$/, '/apple').replace(/^http:\/\//, 'https://'),
+      },
     })
     : await profile.call(providerSettings, { token, query });
 
diff --git a/src/auth/oauth/index.js b/src/auth/oauth/index.js
@@ -111,6 +111,7 @@ async function mserviceVerification({ service, transportRequest }, credentials,
 
   // user is authenticated and profile is attached
   if (user && userId) {
+    // @TODO code?
     throw new Errors.HttpStatusError(412, 'profile is linked');
   }
 
diff --git a/src/auth/oauth/strategies/apple.js b/src/auth/oauth/strategies/apple.js
@@ -4,6 +4,11 @@ const Bluebird = require('bluebird');
 const Boom = require('@hapi/boom');
 const { request: httpRequest } = require('undici');
 
+const {
+  ERROR_OAUTH_APPLE_VALIDATE_CODE,
+  ERROR_OAUTH_APPLE_VERIFY_PROFILE,
+} = require('../../../constants');
+
 // @todo more options from config
 const jwksClient = getJwksClient({
   jwksUri: 'https://appleid.apple.com/auth/keys',
@@ -151,13 +156,24 @@ function getProvider(options, server) {
   };
 }
 
-async function upgradeAppleCode(params) {
+async function upgradeAppleCode({ params, log }) {
   const { providerSettings, code, query, redirectUrl } = params;
   const { profile } = providerSettings.provider;
 
+  let tokenResponse;
+
+  try {
+    tokenResponse = await validateGrantCode(providerSettings, code, redirectUrl);
+  } catch (error) {
+    log.error(Boom.internal(error.body?.error, undefined, error.statusCode));
+
+    throw ERROR_OAUTH_APPLE_VALIDATE_CODE;
+  }
+
+  let credentials;
+
   try {
-    const tokenResponse = await validateGrantCode(providerSettings, code, redirectUrl);
-    const credentials = await profile.call(
+    credentials = await profile.call(
       providerSettings,
       {
         query,
@@ -167,11 +183,13 @@ async function upgradeAppleCode(params) {
       },
       tokenResponse
     );
-
-    return credentials;
   } catch (error) {
-    throw Boom.internal(error.body?.error, undefined, error.statusCode);
+    log.error(Boom.internal(error.body?.error, undefined, error.statusCode));
+
+    throw ERROR_OAUTH_APPLE_VERIFY_PROFILE;
   }
+
+  return credentials;
 }
 
 module.exports = {
diff --git a/src/auth/oauth/utils/form-oauth-response.js b/src/auth/oauth/utils/form-oauth-response.js
@@ -34,6 +34,7 @@ async function formOAuthResponse(ctx, request, credentials) {
   }
 
   if (!account) {
+    // @TODO 403?
     throw new HttpStatusError(500, 'no account when jwt isn\'t present');
   }
 
diff --git a/src/constants.js b/src/constants.js
@@ -89,6 +89,9 @@ module.exports = exports = {
   ErrorUserNotMember: new HttpStatusError(404, 'username not member of organization'),
   ErrorInvitationExpiredOrUsed: new HttpStatusError(400, 'Invitation has expired or already been used'),
 
+  ERROR_OAUTH_APPLE_VALIDATE_CODE: new HttpStatusError(403, 'Code validation failed'),
+  ERROR_OAUTH_APPLE_VERIFY_PROFILE: new HttpStatusError(403, 'Profile verification failed'),
+
   // actions
   USERS_ACTION_ACTIVATE: 'activate',
   USERS_ACTION_VERIFY_CONTACT: 'verify-contact',
@@ -143,6 +146,9 @@ exports.USERS_JWT_ACCESS_REQUIRED.code = 'E_TKN_ACCESS_TOKEN_REQUIRED';
 exports.USERS_JWT_REFRESH_REQUIRED.code = 'E_TKN_REFRESH_TOKEN_REQUIRED';
 exports.USERS_JWT_STATELESS_REQUIRED.code = 'E_STATELESS_NOT_ENABLED';
 
+exports.ERROR_OAUTH_APPLE_VALIDATE_CODE.code = 'E_VALIDATE_CODE';
+exports.ERROR_OAUTH_APPLE_VERIFY_PROFILE.code = 'E_VERIFY_PROFILE';
+
 exports.SSO_PROVIDERS = [
   exports.USERS_SSO_FACEBOOK_FIELD,
   exports.USERS_SSO_APPLE_FIELD,
diff --git a/test/suites/actions/oauth/upgrade.apple.js b/test/suites/actions/oauth/upgrade.apple.js
@@ -28,7 +28,7 @@ describe('oauth.upgrade action', function suite() {
     appleStrategyStub
       .withArgs(
         match(
-          (params) => params.code === 'c75da8efcf25f4acb80e51152fead9fad.0.srqty.7-k4X-G9bBesI_9hDFH6Xg'
+          ({ params }) => params.code === 'c75da8efcf25f4acb80e51152fead9fad.0.srqty.7-k4X-G9bBesI_9hDFH6Xg'
             && params.redirectUrl === 'https://ms-users.local/users/oauth/apple'
             && params.providerSettings.appId === 'com.test.app'
         )

Original file line number	Diff line number	Diff line change
`@@ -111,6 +111,7 @@ async function mserviceVerification({ service, transportRequest }, credentials,`
`111`	`111`
`112`	`112`	`// user is authenticated and profile is attached`
`113`	`113`	`if (user && userId) {`
	`114`	`+ // @TODO code?`
`114`	`115`	`throw new Errors.HttpStatusError(412, 'profile is linked');`
`115`	`116`	`}`
`116`	`117`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ async function formOAuthResponse(ctx, request, credentials) {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`if (!account) {`
	`37`	`+ // @TODO 403?`
`37`	`38`	`throw new HttpStatusError(500, 'no account when jwt isn\'t present');`
`38`	`39`	`}`
`39`	`40`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ describe('oauth.upgrade action', function suite() {`
`28`	`28`	`appleStrategyStub`
`29`	`29`	`.withArgs(`
`30`	`30`	`match(`
`31`		`- (params) => params.code === 'c75da8efcf25f4acb80e51152fead9fad.0.srqty.7-k4X-G9bBesI_9hDFH6Xg'`
	`31`	`+ ({ params }) => params.code === 'c75da8efcf25f4acb80e51152fead9fad.0.srqty.7-k4X-G9bBesI_9hDFH6Xg'`
`32`	`32`	`&& params.redirectUrl === 'https://ms-users.local/users/oauth/apple'`
`33`	`33`	`&& params.providerSettings.appId === 'com.test.app'`
`34`	`34`	`)`