Throwing Http Errors from middleware

[mogusbi]

Is it possible to throw http errors listed here with middleware and custom decorators?

Here's an example of what I'm trying to do;

// Unauthorised.ts

import {NextFunction, Request, Response} from 'express'
import {ForbiddenError, getMetadataArgsStorage} from 'routing-controllers';

export function Unauthorised (): Function {
  return (objectOrFunction: Object | Function, methodName?: string) => {
    getMetadataArgsStorage()
      .uses
      .push({
        afterAction: false,
        method: methodName,
        middleware: (req: Request, _: Response, next: NextFunction) => {
          if (req.headers.authorization) {
            throw new ForbiddenError();
          }

          next();
        },
        target: methodName ? objectOrFunction.constructor : objectOrFunction as Function
      });
  };
}

// auth.controller.ts

import {Body, JsonController, Post} from 'routing-controllers';
import {Unauthorised} from './Unauthorised';

@JsonController('/auth')
export class AuthController {
  @Post()
  @Unauthorised()
  public httpPost (
    @Body({
      required: true
    }) props
  ) {
    // do auth logic here if you're not already authorised
  }
}

But rather than returning the error response that it does when it's inside the controller, it literally throws the error and returns a 500 server error

POST /api/1.0/auth 500 11.622 ms - 2343
Error
    at ForbiddenError.HttpError [as constructor] (/HttpError.ts:19:22)
    at new ForbiddenError (/ForbiddenError.ts:10:9)
    at middleware (/Unauthorised.ts:12:19)

[MichalLytek]

If you use undocumented hooks from internal stuffs like getMetadataArgsStorage().uses.push you can get weird behavior very easy.

Middlewares are specially treated at routing-controllers level with try-catch and handle error:

// if its a regular middleware then register it as express middleware
if ((middleware.instance as ExpressMiddlewareInterface).use) {
    this.express.use((request: any, response: any, next: (err: any) => any) => {
        try {
            const useResult = (middleware.instance as ExpressMiddlewareInterface).use(request, response, next);
            if (isPromiseLike(useResult)) {
                useResult.catch((error: any) => {
                    this.handleError(error, undefined, {request, response, next});
                    return error;
                });
            }

        } catch (error) {
            this.handleError(error, undefined, {request, response, next});
        }
    });
}

However they have to be registered on bootstrap, not by dirty hack.
Middlewares on controller or action level aren't try-catched:

// user used middlewares
const uses = [...actionMetadata.controllerMetadata.uses, ...actionMetadata.uses];
const beforeMiddlewares = this.prepareMiddlewares(uses.filter(use => !use.afterAction));
const afterMiddlewares = this.prepareMiddlewares(uses.filter(use => use.afterAction));

// prepare route and route handler function
const route = ActionMetadata.appendBaseRoute(this.routePrefix, actionMetadata.fullRoute);
const routeHandler = function routeHandler(request: any, response: any, next: Function) {
    return executeCallback({request, response, next});
};

// finally register action in express
this.express[actionMetadata.type.toLowerCase()](...[
    route,
    ...beforeMiddlewares,
    ...defaultMiddlewares,
    routeHandler,
    ...afterMiddlewares
]);

So that's why the error is not capturing and the statusCode is wrong.

@mogusbi
Why you can't just use the built-in authorization feature?
https://github.com/pleerock/routing-controllers#using-authorization-features

createExpressServer({
    authorizationChecker: async (action: Action, roles: string[]) => {
        if (roles.includes("guest")) {
            if (action.request.headers["authorization"]) {
                throw new ForbiddenError();
                // or return false; - it's the same, still returns 403 error
            } else {
                return true;
            }
        }
    }
})

@JsonController("/auth")
export class AuthController {
    @Post()
    @Authorized("guest")
    public httpPost(
        @Body({
            required: true,
        })
        props,
    ) {
        // do auth logic here if you're not already authorised
    }
}
``

[mogusbi]

@19majkel94 Thank you for the explanation 👍

Using @Authorize() could be a solution but there could be use cases which have nothing to do with authorisation where you'd still want to throw errors from other custom decorators or middleware

[mogusbi]

@19majkel94 I've just tried your example and throwing an error in the authorizationChecker causes the same issue with it returning an internal server error instead of the expected 403

Returning false fixes it but my issue still stands in that I can't use the errors from anywhere other than my controller

[NoNameProvided]

I've just tried your example and throwing an error in the authorizationChecker causes the same issue with it returning an internal server error instead of the expected 403

This is fixed, merged into master, but not released yet. (ref #247, #233). It will be released in 0.7.2.

[MichalLytek]

It will be released in 0.7.2.

Which might happen even after the end of August as pleerock is on vacations 😞

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.