refactor(core): enhance error handling

Author: halvaradop

packages/core/src/@types/index.ts

@@ -245,6 +245,23 @@ export type AccessTokenError = OAuthError<z.infer<typeof OAuthAccessTokenErrorRe
  * OAuth 2.0 Token Revocation Error Response Types
  * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1
  */
-export type TokenRevocationError = OAuthError<"invalid_session_token" | "invalid_csrf_token" | "invalid_redirect_to">
+export type TokenRevocationError = OAuthError<"invalid_session_token">
 
 export type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | TokenRevocationError["error"]
+
+export type AuthInternalErrorCode =
+    | "INVALID_OAUTH_CONFIGURATION"
+    | "INVALID_JWT_TOKEN"
+    | "JOSE_INITIALIZATION_FAILED"
+    | "SESSION_STORE_NOT_INITIALIZED"
+    | "COOKIE_STORE_NOT_INITIALIZED"
+    | "COOKIE_PARSING_FAILED"
+    | "COOKIE_NOT_FOUND"
+
+export type AuthSecurityErrorCode =
+    | "INVALID_STATE"
+    | "MISMATCHING_STATE"
+    | "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED"
+    | "CSRF_TOKEN_INVALID"
+    | "CSRF_TOKEN_MISSING"
+    | "SESSION_TOKEN_MISSING"

packages/core/src/actions/callback/access-token.ts

@@ -1,6 +1,7 @@
-import { AuthError, ERROR_RESPONSE, throwAuthError } from "@/errors.js"
+import { AuthInternalError, OAuthProtocolError } from "@/errors.js"
 import { OAuthAccessToken, OAuthAccessTokenErrorResponse, OAuthAccessTokenResponse } from "@/schemas.js"
 import type { OAuthProviderCredentials } from "@/@types/index.js"
+import { formatZodError } from "@/utils.js"
 
 /**
  * Make a request to the OAuth provider to the token endpoint to exchange the authorization code provided
@@ -21,7 +22,8 @@ export const createAccessToken = async (
 ) => {
     const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier })
     if (!parsed.success) {
-        throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Invalid OAuth configuration")
+        const msg = formatZodError(parsed.error).toString()
+        throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg)
     }
     const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data
     try {
@@ -45,12 +47,16 @@ export const createAccessToken = async (
         if (!token.success) {
             const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json)
             if (!success) {
-                throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_GRANT, "Invalid access token response format")
+                throw new OAuthProtocolError("INVALID_REQUEST", "Invalid access token response format")
             }
-            throw new AuthError(data.error, data?.error_description ?? "Failed to retrieve access token")
+            throw new OAuthProtocolError(data.error, data?.error_description ?? "Failed to retrieve access token")
         }
         return token.data
     } catch (error) {
-        throw throwAuthError(error, "Failed to create access token")
+        /**
+         * @todo: review error handling here
+         */
+        //throw throwAuthError(error, "Failed to create access token")
+        throw error
     }
 }

packages/core/src/actions/callback/callback.ts

@@ -1,16 +1,15 @@
 import z from "zod"
-import { createEndpoint, createEndpointConfig, HeadersBuilder, statusCode } from "@aura-stack/router"
+import { createEndpoint, createEndpointConfig, HeadersBuilder } from "@aura-stack/router"
 import { createCSRF } from "@/secure.js"
 import { cacheControl } from "@/headers.js"
-import { AuraResponse } from "@/response.js"
 import { getUserInfo } from "@/actions/callback/userinfo.js"
-import { AuthError, ERROR_RESPONSE, isAuthError } from "@/errors.js"
 import { equals, isValidRelativePath, sanitizeURL } from "@/utils.js"
 import { createAccessToken } from "@/actions/callback/access-token.js"
-import { OAuthAuthorizationErrorResponse, OAuthAuthorizationResponse } from "@/schemas.js"
 import { createSessionCookie, getCookie, expiredCookieAttributes } from "@/cookie.js"
+import { OAuthAuthorizationErrorResponse, OAuthAuthorizationResponse } from "@/schemas.js"
+import { AuthSecurityError, OAuthProtocolError } from "@/errors.js"
 import type { JWTPayload } from "@/jose.js"
-import type { AccessTokenError, AuthorizationError, AuthRuntimeConfig } from "@/@types/index.js"
+import type { AuthRuntimeConfig } from "@/@types/index.js"
 
 const callbackConfig = (oauth: AuthRuntimeConfig["oauth"]) => {
     return createEndpointConfig("/callback/:oauth", {
@@ -25,7 +24,7 @@ const callbackConfig = (oauth: AuthRuntimeConfig["oauth"]) => {
                 const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams)
                 if (response.success) {
                     const { error, error_description } = response.data
-                    throw new AuthError(error, error_description ?? "OAuth Authorization Error")
+                    throw new OAuthProtocolError(error, error_description ?? "OAuth Authorization Error")
                 }
                 return ctx
             },
@@ -44,58 +43,43 @@ export const callbackAction = (oauth: AuthRuntimeConfig["oauth"]) => {
                 searchParams: { code, state },
                 context: { oauth: providers, cookies, jose },
             } = ctx
-            try {
-                const oauthConfig = providers[oauth]
-                const cookieState = getCookie(request, cookies.state.name)
-                const cookieRedirectTo = getCookie(request, cookies.redirect_to.name)
-                const cookieRedirectURI = getCookie(request, cookies.redirect_uri.name)
-                const codeVerifier = getCookie(request, cookies.code_verifier.name)
-
-                if (!equals(cookieState, state)) {
-                    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state")
-                }
-
-                const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier)
-                const sanitized = sanitizeURL(cookieRedirectTo)
-                if (!isValidRelativePath(sanitized)) {
-                    throw new AuthError(
-                        ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
-                        "Invalid redirect path. Potential open redirect attack detected."
-                    )
-                }
 
-                const userInfo = await getUserInfo(oauthConfig, accessToken.access_token)
+            const oauthConfig = providers[oauth]
+            const cookieState = getCookie(request, cookies.state.name)
+            const cookieRedirectTo = getCookie(request, cookies.redirect_to.name)
+            const cookieRedirectURI = getCookie(request, cookies.redirect_uri.name)
+            const codeVerifier = getCookie(request, cookies.code_verifier.name)
 
-                const sessionCookie = await createSessionCookie(userInfo as JWTPayload, jose)
-
-                const csrfToken = await createCSRF(jose)
+            if (!equals(cookieState, state)) {
+                throw new AuthSecurityError(
+                    "MISMATCHING_STATE",
+                    "The provided state passed in the OAuth response does not match the stored state."
+                )
+            }
 
-                const headers = new HeadersBuilder(cacheControl)
-                    .setHeader("Location", sanitized)
-                    .setCookie(cookies.sessionToken.name, sessionCookie, cookies.sessionToken.attributes)
-                    .setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes)
-                    .setCookie(cookies.state.name, "", expiredCookieAttributes)
-                    .setCookie(cookies.redirect_uri.name, "", expiredCookieAttributes)
-                    .setCookie(cookies.redirect_to.name, "", expiredCookieAttributes)
-                    .setCookie(cookies.code_verifier.name, "", expiredCookieAttributes)
-                    .toHeaders()
-                return Response.json({ oauth }, { status: 302, headers: headers })
-            } catch (error) {
-                if (isAuthError(error)) {
-                    const { type, message } = error
-                    return AuraResponse.json<AuthorizationError>(
-                        { error: type as AuthorizationError["error"], error_description: message },
-                        { status: statusCode.BAD_REQUEST }
-                    )
-                }
-                return AuraResponse.json<AccessTokenError>(
-                    {
-                        error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT as AccessTokenError["error"],
-                        error_description: "An unexpected error occurred",
-                    },
-                    { status: statusCode.INTERNAL_SERVER_ERROR }
+            const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier)
+            const sanitized = sanitizeURL(cookieRedirectTo)
+            if (!isValidRelativePath(sanitized)) {
+                throw new AuthSecurityError(
+                    "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+                    "Invalid redirect path. Potential open redirect attack detected."
                 )
             }
+
+            const userInfo = await getUserInfo(oauthConfig, accessToken.access_token)
+            const sessionCookie = await createSessionCookie(userInfo as JWTPayload, jose)
+            const csrfToken = await createCSRF(jose)
+
+            const headers = new HeadersBuilder(cacheControl)
+                .setHeader("Location", sanitized)
+                .setCookie(cookies.sessionToken.name, sessionCookie, cookies.sessionToken.attributes)
+                .setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes)
+                .setCookie(cookies.state.name, "", expiredCookieAttributes)
+                .setCookie(cookies.redirect_uri.name, "", expiredCookieAttributes)
+                .setCookie(cookies.redirect_to.name, "", expiredCookieAttributes)
+                .setCookie(cookies.code_verifier.name, "", expiredCookieAttributes)
+                .toHeaders()
+            return Response.json({ oauth }, { status: 302, headers: headers })
         },
         callbackConfig(oauth)
     )

packages/core/src/actions/callback/userinfo.ts

@@ -1,6 +1,6 @@
 import { generateSecure } from "@/secure.js"
 import { OAuthErrorResponse } from "@/schemas.js"
-import { AuthError, throwAuthError } from "@/errors.js"
+import { isNativeError, isOAuthProtocolError, OAuthProtocolError } from "@/errors.js"
 import type { OAuthProviderCredentials, User } from "@/@types/index.js"
 
 /**
@@ -42,10 +42,19 @@ export const getUserInfo = async (oauthConfig: OAuthProviderCredentials, accessT
         const json = await response.json()
         const { success, data } = OAuthErrorResponse.safeParse(json)
         if (success) {
-            throw new AuthError(data.error, data?.error_description ?? "An error occurred while fetching user information.")
+            throw new OAuthProtocolError(
+                data.error,
+                data?.error_description ?? "An error occurred while fetching user information."
+            )
         }
         return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json)
     } catch (error) {
-        throw throwAuthError(error, "Failed to retrieve userinfo")
+        if(isOAuthProtocolError(error)) {
+            throw error
+        }
+        if(isNativeError(error)) {
+            throw new OAuthProtocolError("invalid_request", error.message, "", { cause: error })
+        }
+        throw new OAuthProtocolError("invalid_request", "Failed to fetch user information.", "", { cause: error })
     }
 }

packages/core/src/actions/signIn/authorization.ts

@@ -1,7 +1,7 @@
 import { isValidURL } from "@/assert.js"
 import { OAuthAuthorization } from "@/schemas.js"
-import { equals, getNormalizedOriginPath, sanitizeURL, toCastCase } from "@/utils.js"
-import { AuthError, ERROR_RESPONSE, InvalidRedirectToError, isAuthError } from "@/errors.js"
+import { equals, formatZodError, getNormalizedOriginPath, sanitizeURL, toCastCase } from "@/utils.js"
+import { AuthInternalError, AuthSecurityError, isAuthSecurityError } from "@/errors.js"
 import type { OAuthProviderCredentials } from "@/@types/index.js"
 
 /**
@@ -25,7 +25,9 @@ export const createAuthorizationURL = (
 ) => {
     const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod })
     if (!parsed.success) {
-        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR, "Invalid OAuth configuration")
+        const msg = JSON.stringify(formatZodError(parsed.error), null, 2)
+        console.log("OAuth Authorization URL Creation Error:", msg)
+        throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg)
     }
     const { authorizeURL, ...options } = parsed.data
     const { userInfo, accessToken, clientSecret, ...required } = options
@@ -82,15 +84,18 @@ export const createRedirectTo = (request: Request, redirectTo?: string, trustedP
             }
             const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)))
             if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
-                throw new InvalidRedirectToError()
+                throw new AuthSecurityError(
+                    "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+                    "The redirectTo parameter does not match the hosted origin."
+                )
             }
             return sanitizeURL(redirectToURL.pathname)
         }
         if (referer) {
             const refererURL = new URL(sanitizeURL(referer))
             if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
-                throw new AuthError(
-                    ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST,
+                throw new AuthSecurityError(
+                    "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
                     "The referer of the request does not match the hosted origin."
                 )
             }
@@ -99,15 +104,15 @@ export const createRedirectTo = (request: Request, redirectTo?: string, trustedP
         if (origin) {
             const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)))
             if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
-                throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).")
+                throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).")
             }
             return sanitizeURL(originURL.pathname)
         }
         return "/"
     } catch (error) {
-        if (isAuthError(error)) {
+        if (isAuthSecurityError(error)) {
             throw error
         }
-        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).")
+        throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).")
     }
 }

packages/core/src/actions/signIn/signIn.ts

@@ -1,10 +1,8 @@
 import z from "zod"
-import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router"
-import { AuraResponse } from "@/response.js"
+import { createEndpoint, createEndpointConfig } from "@aura-stack/router"
 import { createPKCE, generateSecure } from "@/secure.js"
-import { ERROR_RESPONSE, isAuthError } from "@/errors.js"
 import { createAuthorizationURL, createRedirectURI, createRedirectTo } from "@/actions/signIn/authorization.js"
-import type { AuthorizationError, AuthRuntimeConfig } from "@/@types/index.js"
+import type { AuthRuntimeConfig } from "@/@types/index.js"
 
 const signInConfig = (oauth: AuthRuntimeConfig["oauth"]) => {
     return createEndpointConfig("/signIn/:oauth", {
@@ -33,44 +31,27 @@ export const signInAction = (oauth: AuthRuntimeConfig["oauth"]) => {
                 params: { oauth, redirectTo },
                 context: { oauth: providers, cookies, trustedProxyHeaders, basePath },
             } = ctx
-            try {
-                const state = generateSecure()
-                const redirectURI = createRedirectURI(request, oauth, basePath, trustedProxyHeaders)
-                const redirectToValue = createRedirectTo(request, redirectTo, trustedProxyHeaders)
+            const state = generateSecure()
+            const redirectURI = createRedirectURI(request, oauth, basePath, trustedProxyHeaders)
+            const redirectToValue = createRedirectTo(request, redirectTo, trustedProxyHeaders)
 
-                const { codeVerifier, codeChallenge, method } = await createPKCE()
-                const authorization = createAuthorizationURL(providers[oauth], redirectURI, state, codeChallenge, method)
+            const { codeVerifier, codeChallenge, method } = await createPKCE()
+            const authorization = createAuthorizationURL(providers[oauth], redirectURI, state, codeChallenge, method)
 
-                const headers = headersBuilder
-                    .setHeader("Location", authorization)
-                    .setCookie(cookies.state.name, state, cookies.state.attributes)
-                    .setCookie(cookies.redirect_uri.name, redirectURI, cookies.redirect_uri.attributes)
-                    .setCookie(cookies.redirect_to.name, redirectToValue, cookies.redirect_to.attributes)
-                    .setCookie(cookies.code_verifier.name, codeVerifier, cookies.code_verifier.attributes)
-                    .toHeaders()
-                return Response.json(
-                    { oauth },
-                    {
-                        status: 302,
-                        headers,
-                    }
-                )
-            } catch (error) {
-                if (isAuthError(error)) {
-                    const { type, message } = error
-                    return AuraResponse.json<AuthorizationError>(
-                        { error: type as AuthorizationError["error"], error_description: message },
-                        { status: statusCode.BAD_REQUEST }
-                    )
+            const headers = headersBuilder
+                .setHeader("Location", authorization)
+                .setCookie(cookies.state.name, state, cookies.state.attributes)
+                .setCookie(cookies.redirect_uri.name, redirectURI, cookies.redirect_uri.attributes)
+                .setCookie(cookies.redirect_to.name, redirectToValue, cookies.redirect_to.attributes)
+                .setCookie(cookies.code_verifier.name, codeVerifier, cookies.code_verifier.attributes)
+                .toHeaders()
+            return Response.json(
+                { oauth },
+                {
+                    status: 302,
+                    headers,
                 }
-                return AuraResponse.json<AuthorizationError>(
-                    {
-                        error: ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR as AuthorizationError["error"],
-                        error_description: "An unexpected error occurred",
-                    },
-                    { status: statusCode.INTERNAL_SERVER_ERROR }
-                )
-            }
+            )
         },
         signInConfig(oauth)
     )