1 неделя назад · 5d515a8e28
--- a/deps/db-sync/src/logseq/db_sync/worker/auth.cljs
+++ b/deps/db-sync/src/logseq/db_sync/worker/auth.cljs
@@ -1,6 +1,7 @@
 
				 (ns logseq.db-sync.worker.auth
			
 
				   (:require [clojure.string :as string]
			
 
				-            [logseq.common.authorization :as authorization]))
			
 
				+            [logseq.common.authorization :as authorization]
			
 
				+            [promesa.core :as p]))
			
 
				 
			
 
				 (defn- bearer-token [auth-header]
			
 
				   (when (and (string? auth-header) (string/starts-with? auth-header "Bearer "))
			
@@ -30,8 +31,21 @@
 
				     (catch :default _
			
 
				       nil)))
			
 
				 
			
 
				+(def ^:private recoverable-auth-errors
			
 
				+  #{"invalid" "iss not found" "aud not found" "exp" "kid"})
			
 
				+
			
 
				+(defn- recoverable-auth-error?
			
 
				+  [error]
			
 
				+  (when error
			
 
				+    (let [message (or (ex-message error) (some-> error .-message))]
			
 
				+      (contains? recoverable-auth-errors message))))
			
 
				+
			
 
				 (defn auth-claims [request env]
			
 
				   (let [token (token-from-request request)]
			
 
				     (if (string? token)
			
 
				-      (authorization/verify-jwt token env)
			
 
				-      (js/Promise.resolve nil))))
			
 
				+      (-> (authorization/verify-jwt token env)
			
 
				+          (p/catch (fn [error]
			
 
				+                     (if (recoverable-auth-error? error)
			
 
				+                       nil
			
 
				+                       (p/rejected error)))))
			
 
				+      (p/resolved nil))))
			
--- a/deps/db-sync/test/logseq/db_sync/worker_auth_test.cljs
+++ b/deps/db-sync/test/logseq/db_sync/worker_auth_test.cljs
@@ -27,3 +27,32 @@
 
				                (p/catch (fn [error]
			
 
				                           (is false (str error))
			
 
				                           (done)))))))
			
 
				+
			
 
				+(deftest auth-claims-expired-token-returns-nil-test
			
 
				+  (async done
			
 
				+         (let [request (js/Request. "http://localhost/graphs"
			
 
				+                                    #js {:headers #js {"authorization" "Bearer expired-token"}})]
			
 
				+           (-> (p/with-redefs [authorization/verify-jwt
			
 
				+                               (fn [_token _env]
			
 
				+                                 (p/rejected (ex-info "exp" {})))]
			
 
				+                 (p/let [claims (auth/auth-claims request #js {})]
			
 
				+                   (is (nil? claims))))
			
 
				+               (p/then (fn [] (done)))
			
 
				+               (p/catch (fn [error]
			
 
				+                          (is false (str error))
			
 
				+                          (done)))))))
			
 
				+
			
 
				+(deftest auth-claims-jwks-error-propagates-test
			
 
				+  (async done
			
 
				+         (let [request (js/Request. "http://localhost/graphs"
			
 
				+                                    #js {:headers #js {"authorization" "Bearer broken-token"}})]
			
 
				+           (-> (p/with-redefs [authorization/verify-jwt
			
 
				+                               (fn [_token _env]
			
 
				+                                 (p/rejected (ex-info "jwks" {})))]
			
 
				+                 (auth/auth-claims request #js {}))
			
 
				+               (p/then (fn [_]
			
 
				+                         (is false "expected rejection when jwks fetch fails")
			
 
				+                         (done)))
			
 
				+               (p/catch (fn [error]
			
 
				+                          (is (= "jwks" (ex-message error)))
			
 
				+                          (done)))))))