feat: invalid_token errors now have a detail to aid in debugging or logs

panva · Sep 26, 2018 · b8324b7 · b8324b7
1 parent 9a1f0a3
commit b8324b7
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 10 deletions.
diff --git a/lib/actions/registration.js b/lib/actions/registration.js
@@ -56,15 +56,15 @@ module.exports = function registrationAction(provider) {
     setWWWAuthenticateHeader,
     async function validateRegistrationAccessToken(ctx, next) {
       const regAccessToken = await provider.RegistrationAccessToken.find(ctx.oidc.bearer);
-      ctx.assert(regAccessToken, new InvalidToken());
+      ctx.assert(regAccessToken, new InvalidToken('token not found'));
 
       const client = await provider.Client.find(ctx.params.clientId, {
         fresh: true,
       });
 
       if (!client || client.clientId !== regAccessToken.clientId) {
         await regAccessToken.destroy();
-        throw new InvalidToken();
+        throw new InvalidToken('authenticated client and registration access token client mismatch');
       }
 
       ctx.oidc.entity('Client', client);
@@ -84,7 +84,7 @@ module.exports = function registrationAction(provider) {
         switch (registration.initialAccessToken && typeof registration.initialAccessToken) {
           case 'boolean': {
             const initialAccessToken = await provider.InitialAccessToken.find(ctx.oidc.bearer);
-            ctx.assert(initialAccessToken, new InvalidToken());
+            ctx.assert(initialAccessToken, new InvalidToken('initial access token not found'));
             ctx.oidc.entity('InitialAccessToken', initialAccessToken);
             break;
           }
@@ -94,7 +94,7 @@ module.exports = function registrationAction(provider) {
               ctx.oidc.bearer,
               1000,
             );
-            ctx.assert(valid, new InvalidToken());
+            ctx.assert(valid, new InvalidToken('invalid initial access token value'));
             break;
           }
           default:

diff --git a/lib/actions/userinfo.js b/lib/actions/userinfo.js
@@ -51,12 +51,12 @@ module.exports = function userinfoAction(provider) {
 
     async function validateBearer(ctx, next) {
       const accessToken = await provider.AccessToken.find(ctx.oidc.bearer);
-      ctx.assert(accessToken, new InvalidToken());
+      ctx.assert(accessToken, new InvalidToken('access token not found'));
 
       if (accessToken['x5t#S256']) {
         const cert = ctx.get('x-ssl-client-cert');
         if (!cert || accessToken['x5t#S256'] !== getS256Thumbprint(cert)) {
-          throw new InvalidToken();
+          throw new InvalidToken('failed x5t#S256 verification');
         }
       }
 
@@ -82,7 +82,7 @@ module.exports = function userinfoAction(provider) {
 
     async function loadClient(ctx, next) {
       const client = await provider.Client.find(ctx.oidc.accessToken.clientId);
-      ctx.assert(client, new InvalidToken());
+      ctx.assert(client, new InvalidToken('associated client not found'));
 
       ctx.oidc.entity('Client', client);
 
@@ -96,7 +96,7 @@ module.exports = function userinfoAction(provider) {
         ctx.oidc.accessToken,
       );
 
-      ctx.assert(account, new InvalidToken());
+      ctx.assert(account, new InvalidToken('associated account not found'));
       ctx.oidc.entity('Account', account);
 
       await next();

diff --git a/lib/helpers/errors.js b/lib/helpers/errors.js
@@ -13,10 +13,13 @@ class OIDCProviderError extends Error {
 }
 
 class InvalidToken extends OIDCProviderError {
-  constructor() {
+  constructor(detail) {
     super(401, 'invalid_token');
     Error.captureStackTrace(this, this.constructor);
-    Object.assign(this, { error_description: 'invalid token provided' });
+    Object.assign(this, {
+      error_description: 'invalid token provided',
+      error_detail: detail,
+    });
   }
 }