search

ThatConference / thatconference.com

https://thatconference.com
GNU General Public License v3.0
4 stars 2 forks source link

Errors in /api/auth/proxy not making back to the user #110

Open brettski opened 10 months ago

brettski commented 10 months ago

Describe the bug when a call is made to /api/auth/proxy which is in error or if the user is not logged in (accessToken === undefined) the error is never making back to the user and the website hangs with the request. A true error does successfully get recorded in Sentry, makes it to the user's console, but not back to the web page.

The file in next/feature: https://github.com/ThatConference/thatconference.com/blob/next/feature/src/routes/api/auth/proxy/%2Bserver.js

First issue is here (lines 9 - 15)

    try {
        const session = await locals.getSession();
        const accessToken = session?.accessToken;

        if (!accessToken) {
            throw error(401, 'Unauthorized Access');
        }

Having throw error() within a try block immediately goes to the catch block. The case above the message is undefined and nothing makes back to the client, in console, Sentry or otherwise.

A correction for this is as follows (new lines 9-16):

    const session = await locals.getSession();
    const accessToken = session?.accessToken;

    if (!accessToken) {
        throw error(401, 'Unauthorized Access');
    }

    try {

Now, when the user isn't logged in, Svelte does properly throw a 401, Unauthorized Access. A problem still is that the client doesn't get this error to the page. It does shows in in the console.

I am not sure how to restructure this to get the errors back to the user so the page isn't just hanging there.

To Reproduce Steps to reproduce the behavior:

  1. Open 2 tabs Tab A, Tab B, and login to both of them.
  2. In Tab A, go to any session/activity
  3. In Tab B, log out as that user
  4. In Tab A, click favorite button
  5. See how page hangs, look at console for any response.

Expected behavior In this repro the user should be alerted not authorized, or prompted to login (a little more difficult). For 500 errors, they should be relayed back to the user over the page just hanging there.

With the code as it is now, /api/auth/proxy is sending back a 500 error. This is because the throw error(401...) is in thetryblock, being caught by the catch block and trying to capture messageundefined`.

The catch block (lines 42–49)

} catch ({ message }) {
        console.error('AUTH0 EXCEPTION', message);

        Sentry.setContext('AUTH0 GetAccessToken body', { body });
        Sentry.captureMessage(message);

        return json({});
}

Catching throw error(401, 'Unauthorized Access') has no message, hence message's value is undefined.

brettski commented 10 months ago

Update: file, https://github.com/ThatConference/thatconference.com/blob/next/feature/src/routes/api/auth/proxy/%2Bserver.js, updated so it properly returns 401 when not logged in.

export async function POST({ request, locals }) {
    const body = await request.json();

    const session = await locals.getSession();
    const accessToken = session?.accessToken;

    if (!accessToken) {
        throw error(401, 'Unauthorized Access');
    }

    try {
...