Fix handling of auth errors

4 years ago · 30d8fa9072
16 changed files with 18 additions and 48 deletions
--- a/accounts/fees-rest-api.js
+++ b/accounts/fees-rest-api.js
@ -28,7 +28,6 @@ class FeesRestApi {
      '/fees',
      authMgr.checkAuthentication.bind(authMgr),
      this.getFees.bind(this),
-      HttpServer.sendAuthError
    )
    // Refresh the network fees
    rpcFees.refresh()
--- a/accounts/headers-rest-api.js
+++ b/accounts/headers-rest-api.js
@ -33,7 +33,6 @@ class HeadersRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      this.validateArgsGetHeader.bind(this),
      this.getHeader.bind(this),
-      HttpServer.sendAuthError
    )
  }

--- a/accounts/multiaddr-rest-api.js
+++ b/accounts/multiaddr-rest-api.js
@ -36,7 +36,6 @@ class MultiaddrRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      apiHelper.validateEntitiesParams.bind(apiHelper),
      this.getMultiaddr.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.post(
@ -45,7 +44,6 @@ class MultiaddrRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      apiHelper.validateEntitiesParams.bind(apiHelper),
      this.postMultiaddr.bind(this),
-      HttpServer.sendAuthError
    )
  }

--- a/accounts/status-rest-api.js
+++ b/accounts/status-rest-api.js
@ -31,7 +31,6 @@ class StatusRestApi {
      `/${keys.prefixes.status}/`,
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.getStatus.bind(this),
-      HttpServer.sendAuthError
    )
  }

--- a/accounts/support-rest-api.js
+++ b/accounts/support-rest-api.js
@ -42,7 +42,6 @@ class SupportRestApi {
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.validateAddress.bind(this),
      this.getAddressInfo.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
@ -50,7 +49,6 @@ class SupportRestApi {
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.validateAddress.bind(this),
      this.getAddressRescan.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
@ -58,7 +56,6 @@ class SupportRestApi {
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.validateArgsGetXpubInfo.bind(this),
      this.getXpubInfo.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
@ -66,7 +63,6 @@ class SupportRestApi {
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.validateArgsGetXpubRescan.bind(this),
      this.getXpubRescan.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
@ -74,21 +70,18 @@ class SupportRestApi {
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.validateArgsGetXpubDelete.bind(this),
      this.getXpubDelete.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
      `/${keys.prefixes.support}/pairing/explorer`,
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.getPairingExplorer.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
      `/${keys.prefixes.support}/pairing`,
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.getPairing.bind(this),
-      HttpServer.sendAuthError
    )
  }

--- a/accounts/transactions-rest-api.js
+++ b/accounts/transactions-rest-api.js
@ -36,7 +36,6 @@ class TransactionsRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      this.validateArgsGetTransaction.bind(this),
      this.getTransaction.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
@ -45,7 +44,6 @@ class TransactionsRestApi {
      apiHelper.validateEntitiesParams.bind(apiHelper),
      this.validateArgsGetTransactions.bind(this),
      this.getTransactions.bind(this),
-      HttpServer.sendAuthError
    )
  }

--- a/accounts/unspent-rest-api.js
+++ b/accounts/unspent-rest-api.js
@ -36,7 +36,6 @@ class UnspentRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      apiHelper.validateEntitiesParams.bind(apiHelper),
      this.getUnspent.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.post(
@ -45,7 +44,6 @@ class UnspentRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      apiHelper.validateEntitiesParams.bind(apiHelper),
      this.postUnspent.bind(this),
-      HttpServer.sendAuthError
    )
  }

--- a/accounts/wallet-rest-api.js
+++ b/accounts/wallet-rest-api.js
@ -35,7 +35,6 @@ class WalletRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      apiHelper.validateEntitiesParams.bind(apiHelper),
      this.getWallet.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.post(
@ -44,7 +43,6 @@ class WalletRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      apiHelper.validateEntitiesParams.bind(apiHelper),
      this.postWallet.bind(this),
-      HttpServer.sendAuthError
    )
  }

--- a/accounts/xpub-rest-api.js
+++ b/accounts/xpub-rest-api.js
@ -41,7 +41,6 @@ class XPubRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      this.validateArgsPostXpub.bind(this),
      this.postXpub.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
@ -49,7 +48,6 @@ class XPubRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      this.validateArgsGetXpub.bind(this),
      this.getXpubImportStatus.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
@ -57,7 +55,6 @@ class XPubRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      this.validateArgsGetXpub.bind(this),
      this.getXpub.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.post(
@ -66,7 +63,6 @@ class XPubRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      this.validateArgsPostLockXpub.bind(this),
      this.postLockXpub.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.delete(
@ -75,7 +71,6 @@ class XPubRestApi {
      authMgr.checkAuthentication.bind(authMgr),
      this.validateArgsDeleteXpub.bind(this),
      this.deleteXpub.bind(this),
-      HttpServer.sendAuthError
    )
  }

--- a/lib/auth/auth-rest-api.js
+++ b/lib/auth/auth-rest-api.js
@ -41,24 +41,21 @@ class AuthRestApi {
      authentMgr.authenticate({session: false}),
      authentMgr.serialize,
      authorzMgr.generateAuthorizations.bind(authorzMgr),
-      this.login.bind(this),
-      HttpServer.sendAuthError
+      this.login.bind(this)
    )

    this.httpServer.app.post(
      '/auth/logout',
      urlencodedParser,
      authorzMgr.revokeAuthorizations.bind(authorzMgr),
-      this.logout.bind(this),
-      HttpServer.sendAuthError
+      this.logout.bind(this)
    )

    this.httpServer.app.post(
      '/auth/refresh',
      urlencodedParser,
      authorzMgr.refreshAuthorizations.bind(authorzMgr),
-      this.refresh.bind(this),
-      HttpServer.sendAuthError
+      this.refresh.bind(this)
    )
  }

--- a/lib/auth/authorizations-manager.js
+++ b/lib/auth/authorizations-manager.js
@ -174,7 +174,7 @@ class AuthorizationsManager {
  }

  /**
-   * Check if user is authenticated 
+   * Check if user is authenticated
   * (i.e. we have received a valid json web token)
   * @param {string} token - json web token
   * @returns {boolean} returns the decoded token if valid
@ -329,7 +329,7 @@ class AuthorizationsManager {
        const token = authHeader.substring(7)
        if (validator.isJWT(token))
          return token
-      }        
+      }
    }
    return null
  }
--- a/lib/auth/localapikey-strategy-configurator.js
+++ b/lib/auth/localapikey-strategy-configurator.js
@ -51,7 +51,7 @@ class LocalApiKeyStrategyConfigurator {
      return done(null, {'profile': authorzMgr.TOKEN_PROFILE_API})
    } else {
      Logger.error(null, `Auth : Authentication failure (apikey=${apiKey})`)
-      return done('Invalid API key', false)
+      return done(errors.auth.INVALID_API_KEY, false)
    }
  }

--- a/lib/errors.js
+++ b/lib/errors.js
@ -66,7 +66,8 @@ module.exports = {
    INVALID_JWT: 'Invalid JSON Web Token',
    INVALID_PRF: 'Your current access rights do not allow this operation',
    MISSING_JWT: 'Missing JSON Web Token',
-    TECH_ISSUE: 'A technical problem was encountered. Unable to authenticate the user'
+    TECH_ISSUE: 'A technical problem was encountered. Unable to authenticate the user',
+    INVALID_API_KEY: 'Invalid API key',
  },
  db: {
    ERROR_NO_ADDRESS: 'ERROR_NO_ADDRESS',
--- a/lib/http-server/http-server.js
+++ b/lib/http-server/http-server.js
@ -33,12 +33,16 @@ class HttpServer {
    this.app = new App({
      // Error handler
      onError: (err, req, res) => {
-        Logger.error(err.stack, 'HttpServer : general error')
-        const ret = {status: 'Server error'}
-        HttpServer.sendError(res, ret, 500)
+        // Detect if this is auth error
+        if (Object.values(errors.auth).includes(err)) {
+          HttpServer.sendError(res, err, 401)
+        } else {
+          Logger.error(err.stack, 'HttpServer : general error')
+          const ret = {status: 'Server error'}
+          HttpServer.sendError(res, ret, 500)
+        }
      }
    });
-    this.app.set('trust proxy', 'loopback')

    // Middlewares for json responses and requests logging
    this.app.use(HttpServer.requestLogger)
@ -141,12 +145,10 @@ class HttpServer {

  /*
   * A middleware returning an authorization error response
-   * @param {string} err - error
-   * @param {object} req - http request object
   * @param {object} res - http response object
-   * @param {function} next - callback function
+   * @param {string} err - error
   */
-  static sendAuthError(err, req, res, next) {
+  static sendAuthError(res, err) {
    if (err) {
      HttpServer.sendError(res, err, 401)
    }
--- a/pushtx/pushtx-rest-api.js
+++ b/pushtx/pushtx-rest-api.js
@ -40,35 +40,30 @@ class PushTxRestApi {
      jsonParser,
      authMgr.checkAuthentication.bind(authMgr),
      this.postScheduleTxs.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.post(
      '/',
      authMgr.checkAuthentication.bind(authMgr),
      this.postPushTx.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
      '/',
      authMgr.checkAuthentication.bind(authMgr),
      this.getPushTx.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
      `/${keys.prefixes.statusPushtx}/`,
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.getStatus.bind(this),
-      HttpServer.sendAuthError
    )

    this.httpServer.app.get(
      `/${keys.prefixes.statusPushtx}/schedule`,
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.getStatusSchedule.bind(this),
-      HttpServer.sendAuthError
    )

    // Handle unknown paths, returning a help message
@ -76,7 +71,6 @@ class PushTxRestApi {
      '/*',
      authMgr.checkAuthentication.bind(authMgr),
      this.getHelp.bind(this),
-      HttpServer.sendAuthError
    )
  }

--- a/tracker/tracker-rest-api.js
+++ b/tracker/tracker-rest-api.js
@ -31,7 +31,6 @@ class TrackerRestApi {
      `/${keys.prefixes.support}/rescan`,
      authMgr.checkHasAdminProfile.bind(authMgr),
      this.getBlocksRescan.bind(this),
-      HttpServer.sendAuthError
    )
  }