Making it obvious that API key is invalid - error otherwise is quite cryptic.

2023-03-15 17:26:21 +00:00 · 2023-03-15 17:26:21 +00:00 · 29fc91d6d1
parent 17db2d407a
commit 29fc91d6d1
1 changed files with 22 additions and 11 deletions
--- a/packages/backend-core/src/middleware/authenticated.ts
+++ b/packages/backend-core/src/middleware/authenticated.ts
@ -48,22 +48,31 @@ async function checkApiKey(apiKey: string, populateUser?: Function) {
  const decrypted = decrypt(apiKey)
  const tenantId = decrypted.split(SEPARATOR)[0]
  return doInTenant(tenantId, async () => {
-    const db = getGlobalDB()
-    // api key is encrypted in the database
-    const userId = (await queryGlobalView(
-      ViewName.BY_API_KEY,
-      {
-        key: apiKey,
-      },
-      db
-    )) as string
+    let userId
+    try {
+      const db = getGlobalDB()
+      // api key is encrypted in the database
+      userId = (await queryGlobalView(
+        ViewName.BY_API_KEY,
+        {
+          key: apiKey,
+        },
+        db
+      )) as string
+    } catch (err) {
+      userId = undefined
+    }
    if (userId) {
      return {
        valid: true,
        user: await getUser(userId, tenantId, populateUser),
      }
    } else {
-      throw "Invalid API key"
+      throw {
+        message:
+          "Invalid API key - may need re-generated, or user doesn't exist",
+        name: "InvalidApiKey",
+      }
    }
  })
 }
@ -164,8 +173,10 @@ export default function (
      console.error(`Auth Error: ${err.message}`)
      console.error(err)
      // invalid token, clear the cookie
-      if (err && err.name === "JsonWebTokenError") {
+      if (err?.name === "JsonWebTokenError") {
        clearCookie(ctx, Cookie.Auth)
+      } else if (err?.name === "InvalidApiKey") {
+        ctx.throw(403, err.message)
      }
      // allow configuring for public access
      if ((opts && opts.publicAllowed) || publicEndpoint) {