fix(core): improve error handling in node classes (#2703)

packages/platform-middleware/jwt.ts

@@ -21,19 +21,14 @@ export const ValidateJWT: BaseMiddlewareFunction<{
   token?: string
 }> = ({ ctx, next }) => {
   if (ctx.token) {
-    try {
-      const { sub: subject } = checkToken(ctx.token)
-      if (subject && IdentityURNSpace.is(subject)) {
-        return next({
-          ctx: {
-            ...ctx,
-            identityURN: subject,
-          },
-        })
-      }
-    } catch (error) {
-      if (error instanceof RollupError) return next({ ctx })
-      else throw error
+    const { sub: subject } = checkToken(ctx.token)
+    if (subject && IdentityURNSpace.is(subject)) {
+      return next({
+        ctx: {
+          ...ctx,
+          identityURN: subject,
+        },
+      })
     }
   }
 

packages/types/index.ts

@@ -10,5 +10,6 @@ export * as Router from './router'
 export * as Headers from './headers'
 export * as Email from './email'
 export * as Graph from './graph'
+export * as Node from './node'
 
 export type { default as BaseContext, DeploymentMetadata } from './context'

packages/types/node.ts

@@ -0,0 +1,11 @@
+import { RollupError } from '@proofzero/errors'
+
+export type NodeMethodReturnValue<T, E = RollupError> =
+  | {
+      value: T
+      error?: undefined
+    }
+  | {
+      value?: undefined
+      error: E | Error
+    }

packages/types/package.json

@@ -29,5 +29,8 @@
     "npm-run-all": "4.1.5",
     "prettier": "2.8.0",
     "typescript": "5.0.4"
+  },
+  "dependencies": {
+    "@proofzero/errors": "workspace:*"
   }
 }

packages/utils/errors.ts

@@ -70,7 +70,7 @@ export const ROLLUP_ERROR_CLASS_BY_CODE = {
   [ERROR_CODES.NOT_FOUND]: NotFoundError,
 }
 
-export const getErrorCause = (error: unknown): Error => {
+export const getErrorCause = (error: unknown): RollupError | Error => {
   if (error instanceof RollupError) {
     return error
   } else if (error instanceof TRPCClientError) {

packages/utils/yoga.ts

@@ -1,7 +1,20 @@
+import { RollupError, HTTP_STATUS_CODES } from '@proofzero/errors'
+
 import { getErrorCause } from './errors'
 
-export const formatError = (error: unknown): Error | undefined => {
+export const formatError = (error: unknown) => {
   if (!(error instanceof Error)) return
   if (!('originalError' in error)) return
-  return getErrorCause(error.originalError)
+  const cause = getErrorCause(error.originalError)
+  if (cause instanceof RollupError)
+    return {
+      ...cause,
+      extensions: {
+        http: {
+          status: HTTP_STATUS_CODES[cause.code],
+        },
+      },
+    }
+
+  return cause
 }

platform/authorization/src/jsonrpc/methods/exchangeToken.ts

@@ -39,6 +39,7 @@ import {
 } from '@proofzero/security/persona'
 import { UnauthorizedError } from '@proofzero/errors'
 import { createAnalyticsEvent } from '@proofzero/utils/analytics'
+import { getErrorCause } from '@proofzero/utils/errors'
 
 const AuthenticationCodeInput = z.object({
   grantType: z.literal(GrantType.AuthenticationCode),
@@ -329,7 +330,8 @@ const handleRefreshToken: ExchangeTokenMethod<
   const authorizationNode = initAuthorizationNodeByName(urn, ctx.Authorization)
 
   const jwks = getJWKS(ctx)
-  await authorizationNode.class.verify(refreshToken, jwks)
+  const { error } = await authorizationNode.class.verify(refreshToken, jwks)
+  if (error) throw getErrorCause(error)
 
   const scope = payload.scope.split(' ')
   const { expirationTime } = ACCESS_TOKEN_OPTIONS

platform/authorization/src/jsonrpc/methods/getUserInfo.ts

@@ -1,11 +1,7 @@
 import { z } from 'zod'
 import { decodeJwt } from 'jose'
 
-import {
-  BadRequestError,
-  InternalServerError,
-  UnauthorizedError,
-} from '@proofzero/errors'
+import { BadRequestError, UnauthorizedError } from '@proofzero/errors'
 import { AuthorizationURNSpace } from '@proofzero/urns/authorization'
 import { IdentityURNSpace } from '@proofzero/urns/identity'
 import { AuthorizationJWTPayload } from '@proofzero/types/authorization'
@@ -19,6 +15,7 @@ import {
   userClaimsFormatter,
 } from '@proofzero/security/persona'
 import { PersonaData } from '@proofzero/types/application'
+import { getErrorCause } from '@proofzero/utils/errors'
 
 export const GetUserInfoInput = z.object({
   access_token: z.string(),
@@ -54,7 +51,12 @@ export const getUserInfoMethod = async ({
   const urn = AuthorizationURNSpace.componentizedUrn(nss)
   const authorizationNode = initAuthorizationNodeByName(urn, ctx.Authorization)
   const jwks = getJWKS(ctx)
-  await authorizationNode.class.verify(token, jwks, { issuer: input.issuer })
+
+  const { error } = await authorizationNode.class.verify(token, jwks, {
+    issuer: input.issuer,
+  })
+
+  if (error) throw getErrorCause(error)
 
   const personaData = await authorizationNode.storage.get<PersonaData>(
     'personaData'

platform/authorization/src/jsonrpc/methods/verifyToken.ts

@@ -5,6 +5,7 @@ import { router } from '@proofzero/platform.core'
 import type { AuthorizationJWTPayload } from '@proofzero/types/authorization'
 import { AuthorizationURNSpace } from '@proofzero/urns/authorization'
 import { IdentityURNSpace } from '@proofzero/urns/identity'
+import { getErrorCause } from '@proofzero/utils/errors'
 
 import { Context } from '../../context'
 import { getJWKS } from '../../jwk'
@@ -62,5 +63,8 @@ export const verifyTokenMethod: VerifyTokenMethod = async ({ ctx, input }) => {
   const urn = AuthorizationURNSpace.componentizedUrn(nss)
   const node = initAuthorizationNodeByName(urn, ctx.Authorization)
   const jwks = getJWKS(ctx)
-  return node.class.verify(token, jwks, { issuer })
+
+  const { value, error } = await node.class.verify(token, jwks, { issuer })
+  if (error) throw getErrorCause(error)
+  return value
 }

platform/authorization/src/nodes/authorization.ts

@@ -5,7 +5,8 @@ import * as jose from 'jose'
 import { hexlify } from '@ethersproject/bytes'
 import { randomBytes } from '@ethersproject/random'
 
-import { InternalServerError } from '@proofzero/errors'
+import { InternalServerError, RollupError } from '@proofzero/errors'
+import { NodeMethodReturnValue } from '@proofzero/types/node'
 
 import { IdentityURN } from '@proofzero/urns/identity'
 import type { Scope } from '@proofzero/types/authorization'
@@ -176,19 +177,25 @@ export default class Authorization extends DOProxy {
     jwt: string,
     jwks: jose.JSONWebKeySet,
     options: jose.JWTVerifyOptions = {}
-  ): Promise<jose.JWTVerifyResult> {
+  ): Promise<NodeMethodReturnValue<jose.JWTVerifyResult, RollupError>> {
     const { kid } = jose.decodeProtectedHeader(jwt)
     if (kid) {
       try {
-        return await jose.jwtVerify(jwt, jose.createLocalJWKSet(jwks), options)
+        return {
+          value: await jose.jwtVerify(
+            jwt,
+            jose.createLocalJWKSet(jwks),
+            options
+          ),
+        }
       } catch (error) {
         if (error instanceof jose.errors.JWTClaimValidationFailed)
-          throw TokenClaimValidationFailedError
+          return { error: TokenClaimValidationFailedError }
         else if (error instanceof jose.errors.JWTExpired)
-          throw ExpiredTokenError
+          return { error: ExpiredTokenError }
         else if (error instanceof jose.errors.JWTInvalid)
-          throw InvalidTokenError
-        else throw TokenVerificationFailedError
+          return { error: InvalidTokenError }
+        else return { error: TokenVerificationFailedError }
       }
     } else {
       // TODO: Initial signing keys didn't have `kid` property.
@@ -199,28 +206,30 @@ export default class Authorization extends DOProxy {
         const { alg } = JWT_OPTIONS
         const key = await jose.importJWK(local, alg)
         try {
-          return await jose.jwtVerify(jwt, key, options)
+          return { value: await jose.jwtVerify(jwt, key, options) }
         } catch (error) {
           if (error instanceof jose.errors.JWTClaimValidationFailed)
-            throw TokenClaimValidationFailedError
+            return { error: TokenClaimValidationFailedError }
           else if (error instanceof jose.errors.JWTExpired)
-            throw ExpiredTokenError
+            return { error: ExpiredTokenError }
           else if (error instanceof jose.errors.JWTInvalid)
-            throw InvalidTokenError
-          else throw TokenVerificationFailedError
+            return { error: InvalidTokenError }
+          else return { error: TokenVerificationFailedError }
         }
       }
     }
 
-    throw TokenVerificationFailedError
+    return { error: TokenVerificationFailedError }
   }
 
   async revoke(
     token: string,
     jwks: jose.JSONWebKeySet,
     options: jose.JWTVerifyOptions = {}
   ): Promise<void> {
-    const { payload } = await this.verify(token, jwks, options)
+    const { value, error } = await this.verify(token, jwks, options)
+    if (error) throw error
+    const { payload } = value
     await this.state.storage.transaction(async (txn) => {
       const { jti } = payload
       if (!jti) {

yarn.lock

@@ -6702,6 +6702,7 @@ __metadata:
   version: 0.0.0-use.local
   resolution: "@proofzero/types@workspace:packages/types"
   dependencies:
+    "@proofzero/errors": "workspace:*"
     "@types/node": 18.15.3
     "@typescript-eslint/eslint-plugin": 5.45.0
     "@typescript-eslint/parser": 5.45.0