Return HTTP 403 when JWT is valid but missing required claims (#1640)

Co-authored-by: Ferenc Csaky <[email protected]>

Author: velo

sqrl-server/sqrl-server-vertx-base/src/main/java/com/datasqrl/graphql/RestBridgeVerticle.java

@@ -181,9 +181,17 @@ private void createRestEndpoint(ApiOperation operation) {
             var fut = bridgeRequestToGraphQL(ctx, operation, variables);
             fut.onSuccess(
                     executionResult -> {
-                      ctx.response()
-                          .setStatusCode(executionResult.getErrors().isEmpty() ? 200 : 400)
-                          .putHeader("content-type", "application/json");
+                      var res = ctx.response();
+                      var statusCode = res.getStatusCode();
+
+                      // Preserve status code if already set to non-200
+                      // Otherwise use 200 for success, 400 for errors
+                      if (statusCode == 200) {
+                        res.setStatusCode(executionResult.getErrors().isEmpty() ? 200 : 400);
+                      }
+
+                      res.putHeader("content-type", "application/json");
+
                       if (!executionResult.getErrors().isEmpty()) {
                         var json = new JsonObject();
                         json.put(

sqrl-server/sqrl-server-vertx-base/src/main/java/com/datasqrl/graphql/auth/AuthMetadataReader.java

@@ -36,11 +36,23 @@ public Object read(DataFetchingEnvironment env, String name, boolean isRequired)
 
     if (isRequired && !principal.containsKey(name)) {
       log.warn(
-          "Attribute {} is not present on authorization, attributes: {}",
+          "Required claim '{}' is not present on authorization, attributes: {}",
           name,
           principal.attributes());
-      throw new IllegalArgumentException(
-          "Attribute '%s' is not present on authorization".formatted(name));
+
+      // Set the HTTP status to 403 directly
+      rc.response().setStatusCode(403);
+      rc.response()
+          .putHeader(
+              "WWW-Authenticate",
+              "Bearer error=\"insufficient_scope\", error_description=\"Required claim missing\"");
+
+      throw new MissingRequiredClaimException(
+          name,
+          env.getField().getSourceLocation() != null
+              ? java.util.List.of(env.getField().getSourceLocation())
+              : null,
+          env.getExecutionStepInfo().getPath());
     }
 
     var value = principal.get(name);

sqrl-server/sqrl-server-vertx-base/src/main/java/com/datasqrl/graphql/auth/MissingRequiredClaimException.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright © 2021 DataSQRL ([email protected])
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.datasqrl.graphql.auth;
+
+import graphql.GraphQLError;
+import graphql.execution.ResultPath;
+import graphql.language.SourceLocation;
+import java.util.List;
+import lombok.Getter;
+
+/**
+ * Exception thrown when a required JWT claim is missing or not present in the authorization token.
+ * This exception should result in an HTTP 403 Forbidden response.
+ */
+@Getter
+public class MissingRequiredClaimException extends RuntimeException implements GraphQLError {
+
+  private final String claimName;
+  private final List<SourceLocation> locations;
+  private final ResultPath path;
+
+  public MissingRequiredClaimException(String claimName) {
+    super("Required claim missing");
+    this.claimName = claimName;
+    this.locations = null;
+    this.path = null;
+  }
+
+  public MissingRequiredClaimException(
+      String claimName, List<SourceLocation> locations, ResultPath path) {
+    super("Required claim missing");
+    this.claimName = claimName;
+    this.locations = locations;
+    this.path = path;
+  }
+
+  @Override
+  public String getMessage() {
+    return "Forbidden";
+  }
+
+  @Override
+  public List<SourceLocation> getLocations() {
+    return locations;
+  }
+
+  @Override
+  public graphql.ErrorClassification getErrorType() {
+    return graphql.ErrorType.ValidationError;
+  }
+
+  @Override
+  public List<Object> getPath() {
+    return path != null ? path.toList() : null;
+  }
+}

sqrl-testing/sqrl-testing-container/src/test/java/com/datasqrl/container/testing/JwtContainerIT.java

@@ -64,12 +64,12 @@ static class MyTableResponse {
 
   // Feign client for testing REST endpoints
   interface RestClient {
-    @RequestLine("GET /v1/rest/queries/MyTable?limit={limit}")
-    MyTableResponse getMyTable(@Param("limit") int limit);
+    @RequestLine("GET /v1/rest/queries/AuthMyTable?limit={limit}")
+    MyTableResponse getAuthMyTable(@Param("limit") int limit);
 
-    @RequestLine("GET /v1/rest/queries/MyTable?limit={limit}")
+    @RequestLine("GET /v1/rest/queries/AuthMyTable?limit={limit}")
     @Headers("Authorization: Bearer {token}")
-    MyTableResponse getMyTableWithAuth(@Param("token") String token, @Param("limit") int limit);
+    MyTableResponse getAuthMyTableWithAuth(@Param("token") String token, @Param("limit") int limit);
   }
 
   private PostgreSQLContainer<?> postgresql;
@@ -142,18 +142,24 @@ protected void commonTearDown() {
   void givenJwt_whenUnauthenticatedGraphQL_thenReturns401() {
     compileAndStartServer("jwt-authorized-base.sqrl", testDir);
 
-    var response = executeGraphQLQuery("{\"query\":\"query { __typename }\"}");
+    var response = executeGraphQLQuery("{\"query\":\"query { AuthMyTable(limit: 5) { val } }\"}");
 
     assertThat(response.getStatusLine().getStatusCode()).isEqualTo(401);
   }
 
   @Test
   @SneakyThrows
   void givenJwt_whenAuthenticatedGraphQL_thenSucceeds() {
-    compileAndStartServer("jwt-authorized-base.sqrl", testDir);
+    compileAndStartServerWithDatabase("jwt-authorized-base.sqrl", testDir);
 
-    var response = executeGraphQLQuery("{\"query\":\"query { __typename }\"}", generateJwtToken());
-    validateBasicGraphQLResponse(response);
+    var response =
+        executeGraphQLQuery(
+            "{\"query\":\"query { AuthMyTable(limit: 5) { val } }\"}", generateJwtToken());
+
+    assertThat(response.getStatusLine().getStatusCode()).isEqualTo(200);
+    var responseBody = EntityUtils.toString(response.getEntity());
+    assertThat(responseBody).contains("\"data\"");
+    assertThat(responseBody).contains("\"AuthMyTable\"");
   }
 
   @Test
@@ -163,7 +169,8 @@ void givenJwt_whenBadToken_thenReturns401() {
 
     // Generate token with RS256 algorithm while server expects HS256
     var response =
-        executeGraphQLQuery("{\"query\":\"query { __typename }\"}", generateRS256JwtToken());
+        executeGraphQLQuery(
+            "{\"query\":\"query { AuthMyTable(limit: 5) { val } }\"}", generateRS256JwtToken());
 
     assertThat(response.getStatusLine().getStatusCode()).isEqualTo(401);
 
@@ -181,7 +188,9 @@ void givenJwt_whenCorruptedToken_thenReturns401() {
     compileAndStartServer("jwt-authorized-base.sqrl", testDir);
 
     // Generate token with RS256 algorithm while server expects HS256
-    var response = executeGraphQLQuery("{\"query\":\"query { __typename }\"}", "dummy-invalid-jwt");
+    var response =
+        executeGraphQLQuery(
+            "{\"query\":\"query { AuthMyTable(limit: 5) { val } }\"}", "dummy-invalid-jwt");
 
     assertThat(response.getStatusLine().getStatusCode()).isEqualTo(401);
 
@@ -194,6 +203,29 @@ void givenJwt_whenCorruptedToken_thenReturns401() {
     assertThat(responseBody).contains("\"IllegalArgumentException: Invalid format for JWT\"");
   }
 
+  @Test
+  @SneakyThrows
+  void givenJwt_whenMissingRequiredClaims_thenReturns403() {
+    compileAndStartServer("jwt-authorized-base.sqrl", testDir);
+
+    try {
+      // Generate valid JWT token but with empty claims (missing required claims)
+      var response =
+          executeGraphQLQuery(
+              "{\"query\":\"query { AuthMyTable(limit: 5) { val } }\"}",
+              generateJwtToken(Map.of()));
+
+      // Valid token but missing required claims should return 403 Forbidden
+      var responseBody = EntityUtils.toString(response.getEntity());
+      assertThat(response.getStatusLine().getStatusCode()).isEqualTo(403);
+      assertThat(responseBody).contains("\"errors\"");
+    } finally {
+      var logs = serverContainer.getLogs();
+      log.info("Detailed server logs:");
+      System.out.println(logs);
+    }
+  }
+
   @Test
   @SneakyThrows
   void givenJwt_whenUnauthenticatedMcp_thenFails() {
@@ -251,7 +283,7 @@ void givenJwt_whenAuthenticatedMcp_thenSucceeds() {
       // Test calling a tool that doesn't require auth metadata
       var myTableTool =
           tools.tools().stream()
-              .filter(tool -> "GetMyTable".equals(tool.name()))
+              .filter(tool -> "GetAuthMyTable".equals(tool.name()))
               .findFirst()
               .orElseThrow(() -> new RuntimeException("GetMyTable tool not found"));
       log.info("Testing tool call: {}", myTableTool.name());
@@ -274,10 +306,60 @@ void givenJwt_whenAuthenticatedMcp_thenSucceeds() {
     }
   }
 
+  @Test
+  @SneakyThrows
+  void givenJwt_whenMissingRequiredClaimsMcp_thenFails() {
+    compileAndStartServer("jwt-authorized-base.sqrl", testDir);
+
+    var mcpUrl =
+        String.format(
+            "http://localhost:%d/v1/mcp", serverContainer.getMappedPort(HTTP_SERVER_PORT));
+    var jwtToken = generateJwtToken(Map.of());
+    log.info("Testing MCP endpoint with JWT missing claims: {}", mcpUrl);
+
+    // Create MCP client with JWT authentication but missing required claims
+    var transport =
+        HttpClientStreamableHttpTransport.builder(mcpUrl)
+            .customizeRequest(r -> r.header("Authorization", "Bearer " + jwtToken))
+            .endpoint("/v1/mcp")
+            .build();
+
+    try (var client = McpClient.sync(transport).requestTimeout(Duration.ofSeconds(10)).build(); ) {
+      // Should succeed with proper JWT - authentication passes
+      client.initialize();
+
+      var tools = client.listTools();
+
+      log.info("Successfully listed {} tools", tools.tools().size());
+      assertThat(tools).isNotNull();
+      assertThat(tools.tools()).isNotNull();
+      assertThat(tools.tools()).isNotEmpty();
+
+      // Test calling a tool that requires auth metadata - should fail with Forbidden
+      var myTableTool =
+          tools.tools().stream()
+              .filter(tool -> "GetAuthMyTable".equals(tool.name()))
+              .findFirst()
+              .orElseThrow(() -> new RuntimeException("GetAuthMyTable tool not found"));
+      log.info("Testing tool call: {}", myTableTool.name());
+
+      var callRequest =
+          McpSchema.CallToolRequest.builder()
+              .name(myTableTool.name())
+              .arguments(Map.of("limit", 5))
+              .build();
+
+      // Should throw exception when calling tool with missing required claims
+      assertThatThrownBy(() -> client.callTool(callRequest))
+          .isInstanceOf(RuntimeException.class)
+          .hasMessageContaining("Forbidden");
+    }
+  }
+
   @Test
   @SneakyThrows
   void givenJwt_whenUnauthenticatedRest_thenReturns401() {
-    compileAndStartServerWithDatabase("jwt-authorized-base.sqrl", testDir);
+    compileAndStartServer("jwt-authorized-base.sqrl", testDir);
 
     var restUrl =
         String.format("http://localhost:%d", serverContainer.getMappedPort(HTTP_SERVER_PORT));
@@ -289,8 +371,8 @@ void givenJwt_whenUnauthenticatedRest_thenReturns401() {
             .decoder(new JacksonDecoder())
             .target(RestClient.class, restUrl);
 
-    // When JWT is enabled, all REST endpoints require authentication
-    assertThatThrownBy(() -> restClient.getMyTable(5))
+    // AuthMyTable endpoint requires authentication
+    assertThatThrownBy(() -> restClient.getAuthMyTable(5))
         .isInstanceOf(FeignException.Unauthorized.class)
         .hasMessageContaining("JWT auth failed");
   }
@@ -312,7 +394,7 @@ void givenJwt_whenAuthenticatedRest_thenSucceeds() {
             .target(RestClient.class, restUrl);
 
     // REST endpoint should work with valid JWT
-    var response = restClient.getMyTableWithAuth(jwtToken, 5);
+    var response = restClient.getAuthMyTableWithAuth(jwtToken, 5);
     log.info("REST endpoint response with JWT: {}", response);
 
     assertThat(response).isNotNull();
@@ -321,19 +403,53 @@ void givenJwt_whenAuthenticatedRest_thenSucceeds() {
     assertThat(response.data).allSatisfy(item -> assertThat(item.val).isPositive());
   }
 
+  @Test
+  @SneakyThrows
+  void givenJwt_whenMissingRequiredClaimsRest_thenReturns403() {
+    compileAndStartServer("jwt-authorized-base.sqrl", testDir);
+
+    var restUrl =
+        String.format("http://localhost:%d", serverContainer.getMappedPort(HTTP_SERVER_PORT));
+    var jwtToken = generateJwtToken(Map.of());
+    log.info("Testing REST endpoint with JWT missing claims: {}", restUrl);
+
+    try {
+      var restClient =
+          Feign.builder()
+              .encoder(new JacksonEncoder())
+              .decoder(new JacksonDecoder())
+              .target(RestClient.class, restUrl);
+
+      // Valid token but missing required claims should return 403 Forbidden
+      assertThatThrownBy(() -> restClient.getAuthMyTableWithAuth(jwtToken, 5))
+          .isInstanceOf(FeignException.Forbidden.class);
+    } finally {
+      var logs = serverContainer.getLogs();
+      log.info("Detailed MCP Validation Results:");
+      System.out.println(logs);
+    }
+  }
+
   private String generateJwtToken() {
+    return generateJwtToken(Map.of("val", 1, "values", List.of(1, 2, 3)));
+  }
+
+  private String generateJwtToken(Map<String, Object> claims) {
     var now = Instant.now();
     var expiration = now.plus(1, ChronoUnit.HOURS);
 
-    return Jwts.builder()
-        .issuer("my-test-issuer")
-        .audience()
-        .add("my-test-audience")
-        .and()
-        .issuedAt(Date.from(now))
-        .expiration(Date.from(expiration))
-        .claim("val", 1)
-        .claim("values", List.of(1, 2, 3))
+    var builder =
+        Jwts.builder()
+            .issuer("my-test-issuer")
+            .audience()
+            .add("my-test-audience")
+            .and()
+            .issuedAt(Date.from(now))
+            .expiration(Date.from(expiration));
+
+    claims.forEach(builder::claim);
+
+    return builder
         .signWith(
             new SecretKeySpec(
                 "testSecretThatIsAtLeast256BitsLong32Chars".getBytes(UTF_8), "HmacSHA256"))

sqrl-testing/sqrl-testing-integration/src/test/java/com/datasqrl/FullUseCaseIT.java

@@ -61,7 +61,7 @@ public class FullUseCaseIT extends AbstractFullUseCaseTest {
   @Disabled("Intended for manual usage")
   @Test
   void specificUseCase() {
-    var pkg = USE_CASES.resolve("avro-schema-legacy-ts").resolve("package.json");
+    var pkg = USE_CASES.resolve("jwt-authorized").resolve("package.json");
 
     var param = new UseCaseParam(pkg);
     fullUseCaseTest(param);

sqrl-testing/sqrl-testing-integration/src/test/resources/usecases/jwt-authorized/snapshots/AuthMyTable-valid-no-val.snapshot

@@ -1,6 +1,6 @@
 {
   "errors" : [ {
-    "message" : "Exception while fetching data (/AuthMyTable) : Attribute 'val' is not present on authorization",
+    "message" : "Exception while fetching data (/AuthMyTable) : Forbidden",
     "locations" : [ {
       "line" : 2,
       "column" : 3