-
Notifications
You must be signed in to change notification settings - Fork 403
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(oauth-provider): better align errors with spec
- Loading branch information
1 parent
7082971
commit da4e905
Showing
24 changed files
with
260 additions
and
141 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 13 additions & 1 deletion
14
packages/oauth-provider/src/errors/invalid-authorization-details-error.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 14 additions & 4 deletions
18
packages/oauth-provider/src/errors/invalid-client-error.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,20 @@ | ||
import { OAuthError } from './oauth-error.js' | ||
|
||
/** | ||
* @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591} | ||
* @see | ||
* {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | RFC6749 - Issuing an Access Token } | ||
* | ||
* Client authentication failed (e.g., unknown client, no client authentication | ||
* included, or unsupported authentication method). The authorization server MAY | ||
* return an HTTP 401 (Unauthorized) status code to indicate which HTTP | ||
* authentication schemes are supported. If the client attempted to | ||
* authenticate via the "Authorization" request header field, the authorization | ||
* server MUST respond with an HTTP 401 (Unauthorized) status code and include | ||
* the "WWW-Authenticate" response header field matching the authentication | ||
* scheme used by the client. | ||
*/ | ||
export abstract class InvalidClientError extends OAuthError { | ||
constructor(error: string, error_description: string, cause?: unknown) { | ||
super(error, error_description, 400, cause) | ||
export class InvalidClientError extends OAuthError { | ||
constructor(error_description: string, cause?: unknown) { | ||
super('invalid_client', error_description, 400, cause) | ||
} | ||
} |
12 changes: 8 additions & 4 deletions
12
packages/oauth-provider/src/errors/invalid-client-metadata-error.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,14 @@ | ||
import { InvalidClientError } from './invalid-client-error.js' | ||
import { OAuthError } from './oauth-error.js' | ||
|
||
/** | ||
* @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591} | ||
* @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591 - Client Registration Error Response} | ||
* | ||
* The value of one of the client metadata fields is invalid and the server has | ||
* rejected this request. Note that an authorization server MAY choose to | ||
* substitute a valid value for any requested parameter of a client's metadata. | ||
*/ | ||
export class InvalidClientMetadataError extends InvalidClientError { | ||
export class InvalidClientMetadataError extends OAuthError { | ||
constructor(error_description: string, cause?: unknown) { | ||
super('invalid_client_metadata', error_description, cause) | ||
super('invalid_client_metadata', error_description, 400, cause) | ||
} | ||
} |
20 changes: 17 additions & 3 deletions
20
packages/oauth-provider/src/errors/invalid-dpop-key-binding.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,21 @@ | ||
import { InvalidTokenError } from './invalid-token-error.js' | ||
import { WWWAuthenticateError } from './www-authenticate-error.js' | ||
|
||
export class InvalidDpopKeyBindingError extends InvalidTokenError { | ||
/** | ||
* @see | ||
* {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 | RFC6750 - The WWW-Authenticate Response Header Field} | ||
* | ||
* @see | ||
* {@link https://datatracker.ietf.org/doc/html/rfc9449#name-the-dpop-authentication-sch | RFC9449 - The DPoP Authentication Scheme} | ||
*/ | ||
export class InvalidDpopKeyBindingError extends WWWAuthenticateError { | ||
constructor(cause?: unknown) { | ||
super('Invalid DPoP key binding', { DPoP: {} }, cause) | ||
const error = 'invalid_token' | ||
const error_description = 'Invalid DPoP key binding' | ||
super( | ||
error, | ||
error_description, | ||
{ DPoP: { error, error_description } }, | ||
cause, | ||
) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
import { OAuthError } from './oauth-error.js' | ||
|
||
/** | ||
* @see | ||
* {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | RFC6749 - Issuing an Access Token } | ||
* | ||
* The provided authorization grant (e.g., authorization code, resource owner | ||
* credentials) or refresh token is invalid, expired, revoked, does not match | ||
* the redirection URI used in the authorization request, or was issued to | ||
* another client. | ||
*/ | ||
export class InvalidGrantError extends OAuthError { | ||
constructor(error_description: string, cause?: unknown) { | ||
super('invalid_grant', error_description, 400, cause) | ||
} | ||
} |
8 changes: 5 additions & 3 deletions
8
packages/oauth-provider/src/errors/invalid-redirect-uri-error.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,12 @@ | ||
import { InvalidClientError } from './invalid-client-error.js' | ||
import { OAuthError } from './oauth-error.js' | ||
|
||
/** | ||
* @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591} | ||
* | ||
* The value of one or more redirection URIs is invalid. | ||
*/ | ||
export class InvalidRedirectUriError extends InvalidClientError { | ||
export class InvalidRedirectUriError extends OAuthError { | ||
constructor(error_description: string, cause?: unknown) { | ||
super('invalid_redirect_uri', error_description, cause) | ||
super('invalid_redirect_uri', error_description, 400, cause) | ||
} | ||
} |
23 changes: 23 additions & 0 deletions
23
packages/oauth-provider/src/errors/invalid-request-error.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,58 @@ | ||
import { JOSEError } from 'jose/errors' | ||
import { ZodError } from 'zod' | ||
|
||
import { UnauthorizedError, WWWAuthenticate } from './unauthorized-error.js' | ||
import { OAuthError } from './oauth-error.js' | ||
import { WWWAuthenticateError } from './www-authenticate-error.js' | ||
|
||
export class InvalidTokenError extends UnauthorizedError { | ||
/** | ||
* @see | ||
* {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 | RFC6750 - The WWW-Authenticate Response Header Field } | ||
* | ||
* The access token provided is expired, revoked, malformed, or invalid for | ||
* other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) | ||
* status code. The client MAY request a new access token and retry the | ||
* protected resource request. | ||
*/ | ||
export class InvalidTokenError extends WWWAuthenticateError { | ||
static from( | ||
err: unknown, | ||
wwwAuthenticate: WWWAuthenticate, | ||
fallbackMessage = 'Invalid token', | ||
tokenType: string, | ||
fallbackMessage?: string, | ||
): InvalidTokenError { | ||
if (err instanceof InvalidTokenError) { | ||
return err | ||
} | ||
|
||
if (err instanceof OAuthError) { | ||
return new InvalidTokenError(tokenType, err.error_description, err) | ||
} | ||
|
||
if (err instanceof JOSEError) { | ||
throw new InvalidTokenError(err.message, wwwAuthenticate, err) | ||
return new InvalidTokenError(tokenType, err.message, err) | ||
} | ||
|
||
if (err instanceof ZodError) { | ||
throw new InvalidTokenError(err.message, wwwAuthenticate, err) | ||
return new InvalidTokenError(tokenType, err.message, err) | ||
} | ||
|
||
throw new InvalidTokenError(fallbackMessage, wwwAuthenticate, err) | ||
return new InvalidTokenError( | ||
tokenType, | ||
fallbackMessage ?? 'Invalid token', | ||
err, | ||
) | ||
} | ||
|
||
constructor( | ||
readonly tokenType: string, | ||
error_description: string, | ||
wwwAuthenticate: WWWAuthenticate, | ||
cause?: unknown, | ||
) { | ||
super(error_description, wwwAuthenticate, cause) | ||
const error = 'invalid_token' | ||
super( | ||
error, | ||
error_description, | ||
{ [tokenType]: { error, error_description } }, | ||
cause, | ||
) | ||
} | ||
} |
15 changes: 14 additions & 1 deletion
15
packages/oauth-provider/src/errors/unauthorized-client-error.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,20 @@ | ||
import { OAuthError } from './oauth-error.js' | ||
|
||
/** | ||
* @see | ||
* {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | RFC6749 - Issuing an Access Token } | ||
* | ||
* The authenticated client is not authorized to use this authorization grant | ||
* type. | ||
* | ||
* @see | ||
* {@link https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1 | RFC6749 - Authorization Code Grant, Authorization Request} | ||
* | ||
* The client is not authorized to request an authorization code using this | ||
* method. | ||
*/ | ||
export class UnauthorizedClientError extends OAuthError { | ||
constructor(error_description: string, cause?: unknown) { | ||
super('unauthorized_client', error_description, 401, cause) | ||
super('unauthorized_client', error_description, 400, cause) | ||
} | ||
} |
7 changes: 0 additions & 7 deletions
7
packages/oauth-provider/src/errors/unauthorized-dpop-error.ts
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.