nhcarrigan/elysium
9
0
Fork 0
generated from nhcarrigan/template
Code Issues 5 Pull Requests 1 Actions Releases 10 Activity

fix: suppress expired-token log noise and redirect expired sessions to login
Security Scan and Upload / Security & DefectDojo Upload (pull_request) Successful in 1m11s
Details
CI / Lint, Build & Test (pull_request) Successful in 1m14s
Details

Browse Source 
- authMiddleware no longer logs token expiry as an error; only tampered
  or malformed tokens (genuinely suspicious) trigger logger.error
- fetchJson clears elysium_token and elysium_save_signature from
  localStorage and redirects to / on any 401, so players with expired
  sessions see the login page instead of a stuck error screen
This commit is contained in:
Hikari
2026-04-06 20:13:25 -07:00
committed by Naomi Carrigan
parent 3afe64e48a
commit d5284ff78c
3 changed files with 51 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/middleware/auth.ts
+10 -6
View File
@@ -35,12 +35,16 @@ export const authMiddleware: MiddlewareHandler<HonoEnvironment> = async(
const payload = verifyToken(token); const payload = verifyToken(token);
context.set("discordId", payload.discordId); context.set("discordId", payload.discordId);
} catch (error) { } catch (error) {
void logger.error( const isExpiredToken
"auth_middleware", = error instanceof Error && error.message === "Token has expired";
error instanceof Error if (!isExpiredToken) {
? error void logger.error(
: new Error(String(error)), "auth_middleware",
); error instanceof Error
? error
: new Error(String(error)),
);
}
return context.json({ error: "Invalid or expired token" }, 401); return context.json({ error: "Invalid or expired token" }, 401);
} }
apps/api/test/middleware/auth.spec.ts
+36 -5
View File
@@ -6,18 +6,26 @@ vi.mock("../../src/services/jwt.js", () => ({
verifyToken: vi.fn(), verifyToken: vi.fn(),
})); }));
vi.mock("../../src/services/logger.js", () => ({
logger: {
error: vi.fn().mockResolvedValue(undefined),
},
}));
describe("authMiddleware", () => { describe("authMiddleware", () => {
beforeEach(() => { beforeEach(() => {
vi.resetModules(); vi.resetModules();
vi.clearAllMocks();
}); });
const makeApp = async () => { const makeApp = async () => {
const { authMiddleware } = await import("../../src/middleware/auth.js"); const { authMiddleware } = await import("../../src/middleware/auth.js");
const { verifyToken } = await import("../../src/services/jwt.js"); const { verifyToken } = await import("../../src/services/jwt.js");
const { logger } = await import("../../src/services/logger.js");
const app = new Hono<{ Variables: { discordId: string } }>(); const app = new Hono<{ Variables: { discordId: string } }>();
app.use("*", authMiddleware); app.use("*", authMiddleware);
app.get("/test", (c) => c.json({ discordId: c.get("discordId") })); app.get("/test", (c) => c.json({ discordId: c.get("discordId") }));
return { app, verifyToken }; return { app, logger, verifyToken };
}; };
it("returns 401 when Authorization header is missing", async () => { it("returns 401 when Authorization header is missing", async () => {
@@ -45,8 +53,8 @@ describe("authMiddleware", () => {
expect(body.discordId).toBe("user_123"); expect(body.discordId).toBe("user_123");
}); });
it("returns 401 when verifyToken throws", async () => { it("returns 401 and logs when verifyToken throws a non-expiry error", async () => {
const { app, verifyToken } = await makeApp(); const { app, logger, verifyToken } = await makeApp();
vi.mocked(verifyToken).mockImplementationOnce(() => { vi.mocked(verifyToken).mockImplementationOnce(() => {
throw new Error("Invalid token"); throw new Error("Invalid token");
}); });
@@ -54,10 +62,15 @@ describe("authMiddleware", () => {
headers: { Authorization: "Bearer bad_token" }, headers: { Authorization: "Bearer bad_token" },
})); }));
expect(res.status).toBe(401); expect(res.status).toBe(401);
/* eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- logger mock requires cast */
expect((logger.error as ReturnType<typeof vi.fn>)).toHaveBeenCalledWith(
"auth_middleware",
expect.any(Error),
);
}); });
it("returns 401 when verifyToken throws a non-Error value", async () => { it("returns 401 and logs when verifyToken throws a non-Error value", async () => {
const { app, verifyToken } = await makeApp(); const { app, logger, verifyToken } = await makeApp();
vi.mocked(verifyToken).mockImplementationOnce(() => { vi.mocked(verifyToken).mockImplementationOnce(() => {
throw "raw string error"; throw "raw string error";
}); });
@@ -65,5 +78,23 @@ describe("authMiddleware", () => {
headers: { Authorization: "Bearer bad_token" }, headers: { Authorization: "Bearer bad_token" },
})); }));
expect(res.status).toBe(401); expect(res.status).toBe(401);
/* eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- logger mock requires cast */
expect((logger.error as ReturnType<typeof vi.fn>)).toHaveBeenCalledWith(
"auth_middleware",
expect.any(Error),
);
});
it("returns 401 without logging when token has expired", async () => {
const { app, logger, verifyToken } = await makeApp();
vi.mocked(verifyToken).mockImplementationOnce(() => {
throw new Error("Token has expired");
});
const res = await app.fetch(new Request("http://localhost/test", {
headers: { Authorization: "Bearer expired_token" },
}));
expect(res.status).toBe(401);
/* eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- logger mock requires cast */
expect((logger.error as ReturnType<typeof vi.fn>)).not.toHaveBeenCalled();
}); });
}); });
apps/web/src/api/client.ts
+5
View File
@@ -92,6 +92,11 @@ const fetchJson = async <T>(
= typeof errorBody.error === "string" = typeof errorBody.error === "string"
? errorBody.error ? errorBody.error
: "Unknown error"; : "Unknown error";
if (response.status === 401) {
globalThis.localStorage.removeItem("elysium_token");
globalThis.localStorage.removeItem("elysium_save_signature");
globalThis.location.href = "/";
}
if (response.status >= 400 && response.status < 500) { if (response.status >= 400 && response.status < 500) {
throw new ValidationError(message, response.status); throw new ValidationError(message, response.status);
} }