Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(auth/error): improve error handling of auth issues #3950

Merged
merged 1 commit into from
Feb 11, 2025
Merged

fix(auth/error): improve error handling of auth issues #3950

merged 1 commit into from
Feb 11, 2025

Conversation

iainsproat
Copy link
Contributor

@iainsproat iainsproat commented Feb 7, 2025
edited
Loading

Description & motivation

Our logging system showed that some types of errors were being logged twice, the first time as info level and the second as error level:
Screenshot 2025-02-07 at 11 50 36

As this is an user-related error, it should only have been logged as info level. This PR does not yet address the logging duplication, but addresses the logging levels.

Some errors we catch should not be passed to the passportjs callback function, and instead it should only be marked as failure.

From documentation https://www.passportjs.org/concepts/authentication/downloads/html/

It is important to distinguish between the two failure cases that can occur. Authentication failures are expected conditions, in which the server is operating normally, even though invalid credentials are being received from the user (or a malicious adversary attempting to authenticate as the user). Only when the server is operating abnormally should err be set, to indicate an internal error.

Changes:

  • github, oidc, google auth strategies will no longer consider expected validation issues as errors
  • logging in with local strategy now has improved error logging, correctly differentiating between expected and unexpected errors

To-do before merge:

Screenshots:

Validation of changes:

Checklist:

  • My pull request follows the guidelines in the Contributing guide?
  • My pull request does not duplicate any other open Pull Requests for the same update/change?
  • My commits are related to the pull request and do not amend unrelated code or documentation.
  • My code follows a similar style to existing code.
  • I have added appropriate tests.
  • I have updated or added relevant documentation.

References

iainsproat
iainsproat commented Feb 7, 2025
View reviewed changes
packages/server/modules/auth/strategies/local.ts
req.log.info({ err }, 'Error while logging in.')
break
default:
req.log.error({ err }, 'Error while logging in.')
Copy link
Contributor Author

@iainsproat iainsproat Feb 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We want to alert on some types of issues when users are logging in, so this adds error level logging for unexpected errors.

packages/server/modules/auth/strategies/local.ts
default:
req.log.error({ err }, 'Error while logging in.')
break
}
return res.status(401).send({ err: true, message: 'Invalid credentials.' })
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question related to this, should we instead be using next(e) and let the error handling middleware then handle how the error is returned to the user?
https://expressjs.com/en/guide/error-handling.html

@iainsproat iainsproat marked this pull request as ready for review February 7, 2025 11:53
@gjedlicska gjedlicska merged commit 8d0678b into main Feb 11, 2025
26 of 28 checks passed
@gjedlicska gjedlicska deleted the iain/improve-auth-strategy-error-handling branch February 11, 2025 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gjedlicska gjedlicska gjedlicska approved these changes

@fabis94 fabis94 Awaiting requested review from fabis94

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@iainsproat @gjedlicska