Merge pull request #10039 from Budibase/fix/api-key-error

Improve invalid API key error messaging
2024-07-14 18:55:45 +12:00 · 2023-03-16 17:11:46 +00:00 · 2023-03-16 17:11:46 +00:00 · 02d4fc2d31
parent 739a44c79b 39bfbdfac1
commit 02d4fc2d31
2 changed files with 31 additions and 11 deletions
--- a/packages/backend-core/src/errors/errors.ts
+++ b/packages/backend-core/src/errors/errors.ts
@ -16,6 +16,7 @@ export abstract class BudibaseError extends Error {
 export enum ErrorCode {
  USAGE_LIMIT_EXCEEDED = "usage_limit_exceeded",
  FEATURE_DISABLED = "feature_disabled",
+  INVALID_API_KEY = "invalid_api_key",
  HTTP = "http",
 }

@ -85,3 +86,14 @@ export class FeatureDisabledError extends HTTPError {
    }
  }
 }
+
+// AUTH
+
+export class InvalidAPIKeyError extends BudibaseError {
+  constructor() {
+    super(
+      "Invalid API key - may need re-generated, or user doesn't exist",
+      ErrorCode.INVALID_API_KEY
+    )
+  }
+}
--- a/packages/backend-core/src/middleware/authenticated.ts
+++ b/packages/backend-core/src/middleware/authenticated.ts
@ -14,6 +14,7 @@ import { decrypt } from "../security/encryption"
 import * as identity from "../context/identity"
 import env from "../environment"
 import { Ctx, EndpointMatcher } from "@budibase/types"
+import { InvalidAPIKeyError, ErrorCode } from "../errors"

 const ONE_MINUTE = env.SESSION_UPDATE_PERIOD
  ? parseInt(env.SESSION_UPDATE_PERIOD)
@ -48,22 +49,27 @@ async function checkApiKey(apiKey: string, populateUser?: Function) {
  const decrypted = decrypt(apiKey)
  const tenantId = decrypted.split(SEPARATOR)[0]
  return doInTenant(tenantId, async () => {
-    const db = getGlobalDB()
-    // api key is encrypted in the database
-    const userId = (await queryGlobalView(
-      ViewName.BY_API_KEY,
-      {
-        key: apiKey,
-      },
-      db
-    )) as string
+    let userId
+    try {
+      const db = getGlobalDB()
+      // api key is encrypted in the database
+      userId = (await queryGlobalView(
+        ViewName.BY_API_KEY,
+        {
+          key: apiKey,
+        },
+        db
+      )) as string
+    } catch (err) {
+      userId = undefined
+    }
    if (userId) {
      return {
        valid: true,
        user: await getUser(userId, tenantId, populateUser),
      }
    } else {
-      throw "Invalid API key"
+      throw new InvalidAPIKeyError()
    }
  })
 }
@ -164,8 +170,10 @@ export default function (
      console.error(`Auth Error: ${err.message}`)
      console.error(err)
      // invalid token, clear the cookie
-      if (err && err.name === "JsonWebTokenError") {
+      if (err?.name === "JsonWebTokenError") {
        clearCookie(ctx, Cookie.Auth)
+      } else if (err?.code === ErrorCode.INVALID_API_KEY) {
+        ctx.throw(403, err.message)
      }
      // allow configuring for public access
      if ((opts && opts.publicAllowed) || publicEndpoint) {