search

FlourishHealth / ferns-api

Apache License 2.0
1 stars 3 forks source link

Return error if jwt cannot be decoded properly or has an error #395

Closed kjkurtz closed 4 months ago

kjkurtz commented 4 months ago

User description

We weren't throwing an error if the token could not be decoded or was expired, so it just hung. This now throws an error.

PR Type

Bug fix, Tests

Description

Changes walkthrough ๐Ÿ“

Relevant files
Tests
auth.test.ts
Add tests for token expiration and timer handling.             
src/auth.test.ts
  • Added test to verify token expiration handling.
  • Introduced fake timers in tests to simulate time passage.
  • Cleaned up timers after each test.
    		•  +27/-0   
    Bug fix
    auth.ts
    Handle JWT verification errors and return 401 status.       
    src/auth.ts
  • Added error handling for JWT verification failures.
  • Return 401 status with error message if JWT verification fails.
    		•  +2/-3     

    ๐Ÿ’ก PR-Agent usage: Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

    codiumai-pr-agent-pro[bot] commented 4 months ago

    PR Review ๐Ÿ”

    โฑ๏ธ Estimated effort to review [1-5] 2, because the changes are straightforward and localized to specific functionalities. The PR includes both the implementation of the new error handling logic and the corresponding tests, which are well-documented and easy to follow.
    ๐Ÿงช Relevant tests Yes
    โšก Possible issues Time Manipulation in Tests: Using fake timers and manipulating system time in tests can lead to issues if not handled correctly across different environments or if the cleanup (useRealTimers) fails or is skipped due to test interruptions.
    ๐Ÿ”’ Security concerns No
    codiumai-pr-agent-pro[bot] commented 4 months ago

    PR Code Suggestions โœจ

    CategorySuggestion                                                                                                                                    Score
    Security
    Return a generic error message instead of the actual error message for security reasons ___ **Instead of returning the error message directly, it would be more secure to return a
    generic error message to avoid leaking sensitive information about the token verification
    process.** [src/auth.ts [229]](https://github.com/FlourishHealth/ferns-api/pull/395/files#diff-84a5d130fb4cccb80f78601d140f1d5397dc0272f94cea672a8470539fcf6dc7R229-R229) ```diff -return res.status(401).json({message: error?.message}); +return res.status(401).json({message: "Invalid token"}); ```
    Suggestion importance[1-10]: 9 Why: This is a crucial security improvement to prevent leaking details about the internal workings of the token verification process.
    		9
    Best practice
    Ensure jest.useRealTimers is always called by using a finally block in the afterEach function ___ **To ensure that the jest.useFakeTimers setup is properly cleaned up after each test, it
    would be better to move the jest.useRealTimers call to a finally block within the
    afterEach function. This will ensure that even if an error occurs, the timers are reset.** [src/auth.test.ts [81-83]](https://github.com/FlourishHealth/ferns-api/pull/395/files#diff-7e878fd5df9f5b949227e866aa85dc4383321531d0fc22ee586b850509000f33R81-R83) ```diff afterEach(async function () { - jest.useRealTimers(); + try { + // other cleanup code if needed + } finally { + jest.useRealTimers(); + } }); ```
    Suggestion importance[1-10]: 7 Why: This is a good practice to ensure that the test environment is cleaned up properly, which can prevent side effects in subsequent tests.
    		7
    Reset the system time back to the original time after the test to avoid side effects ___ **In the new test case for token expiration, it is better to reset the system time back to
    the current time after the test completes to avoid side effects on other tests.** [src/auth.test.ts [259]](https://github.com/FlourishHealth/ferns-api/pull/395/files#diff-7e878fd5df9f5b949227e866aa85dc4383321531d0fc22ee586b850509000f33R259-R259) ```diff -jest.setSystemTime(new Date().getTime() + 1000 * 60 * 60 * 24 * 30); +const originalTime = new Date().getTime(); +jest.setSystemTime(originalTime + 1000 * 60 * 60 * 24 * 30); +// other test code +jest.setSystemTime(originalTime); ```
    Suggestion importance[1-10]: 7 Why: This suggestion is valid as it prevents potential side effects on other tests by ensuring the system time is reset after modifications.
    		7
    Possible issue
    Add a check to ensure the token is valid before setting the system time forward in the token expiration test ___ **In the new test case for token expiration, add a check to ensure that the token is still
    valid before setting the system time forward. This will make the test more robust by
    verifying the token's validity before simulating its expiration.** [src/auth.test.ts [257-261]](https://github.com/FlourishHealth/ferns-api/pull/395/files#diff-7e878fd5df9f5b949227e866aa85dc4383321531d0fc22ee586b850509000f33R257-R261) ```diff await agent.get("/auth/me").expect(200); jest.setSystemTime(new Date().getTime() + 1000 * 60 * 60 * 24 * 30); +await agent.get("/auth/me").expect(200); // Ensure token is still valid before expiration await agent.get("/auth/me").expect(401); ```
    Suggestion importance[1-10]: 6 Why: Adding a validity check before simulating token expiration would make the test more robust, although it's not critical for the test's primary purpose.
    		6