Skip to content

Commit

Permalink
feat: invalid_token errors now have a detail to aid in debugging or logs
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Sep 26, 2018
1 parent 9a1f0a3 commit b8324b7
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 10 deletions.
8 changes: 4 additions & 4 deletions lib/actions/registration.js
Original file line number Diff line number Diff line change
Expand Up @@ -56,15 +56,15 @@ module.exports = function registrationAction(provider) {
setWWWAuthenticateHeader,
async function validateRegistrationAccessToken(ctx, next) {
const regAccessToken = await provider.RegistrationAccessToken.find(ctx.oidc.bearer);
ctx.assert(regAccessToken, new InvalidToken());
ctx.assert(regAccessToken, new InvalidToken('token not found'));

const client = await provider.Client.find(ctx.params.clientId, {
fresh: true,
});

if (!client || client.clientId !== regAccessToken.clientId) {
await regAccessToken.destroy();
throw new InvalidToken();
throw new InvalidToken('authenticated client and registration access token client mismatch');
}

ctx.oidc.entity('Client', client);
Expand All @@ -84,7 +84,7 @@ module.exports = function registrationAction(provider) {
switch (registration.initialAccessToken && typeof registration.initialAccessToken) {
case 'boolean': {
const initialAccessToken = await provider.InitialAccessToken.find(ctx.oidc.bearer);
ctx.assert(initialAccessToken, new InvalidToken());
ctx.assert(initialAccessToken, new InvalidToken('initial access token not found'));
ctx.oidc.entity('InitialAccessToken', initialAccessToken);
break;
}
Expand All @@ -94,7 +94,7 @@ module.exports = function registrationAction(provider) {
ctx.oidc.bearer,
1000,
);
ctx.assert(valid, new InvalidToken());
ctx.assert(valid, new InvalidToken('invalid initial access token value'));
break;
}
default:
Expand Down
8 changes: 4 additions & 4 deletions lib/actions/userinfo.js
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,12 @@ module.exports = function userinfoAction(provider) {

async function validateBearer(ctx, next) {
const accessToken = await provider.AccessToken.find(ctx.oidc.bearer);
ctx.assert(accessToken, new InvalidToken());
ctx.assert(accessToken, new InvalidToken('access token not found'));

if (accessToken['x5t#S256']) {
const cert = ctx.get('x-ssl-client-cert');
if (!cert || accessToken['x5t#S256'] !== getS256Thumbprint(cert)) {
throw new InvalidToken();
throw new InvalidToken('failed x5t#S256 verification');
}
}

Expand All @@ -82,7 +82,7 @@ module.exports = function userinfoAction(provider) {

async function loadClient(ctx, next) {
const client = await provider.Client.find(ctx.oidc.accessToken.clientId);
ctx.assert(client, new InvalidToken());
ctx.assert(client, new InvalidToken('associated client not found'));

ctx.oidc.entity('Client', client);

Expand All @@ -96,7 +96,7 @@ module.exports = function userinfoAction(provider) {
ctx.oidc.accessToken,
);

ctx.assert(account, new InvalidToken());
ctx.assert(account, new InvalidToken('associated account not found'));
ctx.oidc.entity('Account', account);

await next();
Expand Down
7 changes: 5 additions & 2 deletions lib/helpers/errors.js
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,13 @@ class OIDCProviderError extends Error {
}

class InvalidToken extends OIDCProviderError {
constructor() {
constructor(detail) {
super(401, 'invalid_token');
Error.captureStackTrace(this, this.constructor);
Object.assign(this, { error_description: 'invalid token provided' });
Object.assign(this, {
error_description: 'invalid token provided',
error_detail: detail,
});
}
}

Expand Down

0 comments on commit b8324b7

Please sign in to comment.