fix: don't throw error for exp/iss not found

2026-05-29 06:59:36 +00:00 · 2026-02-11 21:11:04 +08:00
parent ac2c067f17
commit 5d515a8e28
2 changed files with 46 additions and 3 deletions
--- a/deps/db-sync/src/logseq/db_sync/worker/auth.cljs
+++ b/deps/db-sync/src/logseq/db_sync/worker/auth.cljs
@@ -1,6 +1,7 @@
 (ns logseq.db-sync.worker.auth
  (:require [clojure.string :as string]
-            [logseq.common.authorization :as authorization]))
+            [logseq.common.authorization :as authorization]
+            [promesa.core :as p]))

 (defn- bearer-token [auth-header]
  (when (and (string? auth-header) (string/starts-with? auth-header "Bearer "))
@@ -30,8 +31,21 @@
    (catch :default _
      nil)))

+(def ^:private recoverable-auth-errors
+  #{"invalid" "iss not found" "aud not found" "exp" "kid"})
+
+(defn- recoverable-auth-error?
+  [error]
+  (when error
+    (let [message (or (ex-message error) (some-> error .-message))]
+      (contains? recoverable-auth-errors message))))
+
 (defn auth-claims [request env]
  (let [token (token-from-request request)]
    (if (string? token)
-      (authorization/verify-jwt token env)
-      (js/Promise.resolve nil))))
+      (-> (authorization/verify-jwt token env)
+          (p/catch (fn [error]
+                     (if (recoverable-auth-error? error)
+                       nil
+                       (p/rejected error)))))
+      (p/resolved nil))))
--- a/deps/db-sync/test/logseq/db_sync/worker_auth_test.cljs
+++ b/deps/db-sync/test/logseq/db_sync/worker_auth_test.cljs
@@ -27,3 +27,32 @@
               (p/catch (fn [error]
                          (is false (str error))
                          (done)))))))
+
+(deftest auth-claims-expired-token-returns-nil-test
+  (async done
+         (let [request (js/Request. "http://localhost/graphs"
+                                    #js {:headers #js {"authorization" "Bearer expired-token"}})]
+           (-> (p/with-redefs [authorization/verify-jwt
+                               (fn [_token _env]
+                                 (p/rejected (ex-info "exp" {})))]
+                 (p/let [claims (auth/auth-claims request #js {})]
+                   (is (nil? claims))))
+               (p/then (fn [] (done)))
+               (p/catch (fn [error]
+                          (is false (str error))
+                          (done)))))))
+
+(deftest auth-claims-jwks-error-propagates-test
+  (async done
+         (let [request (js/Request. "http://localhost/graphs"
+                                    #js {:headers #js {"authorization" "Bearer broken-token"}})]
+           (-> (p/with-redefs [authorization/verify-jwt
+                               (fn [_token _env]
+                                 (p/rejected (ex-info "jwks" {})))]
+                 (auth/auth-claims request #js {}))
+               (p/then (fn [_]
+                         (is false "expected rejection when jwks fetch fails")
+                         (done)))
+               (p/catch (fn [error]
+                          (is (= "jwks" (ex-message error)))
+                          (done)))))))