fix(apollo): return GraphQLError if token invalid

mvantellingen · mvantellingen · commit 8b8141071b9a · 2025-03-09T18:18:57.000+01:00
We can only return `GraphQLError` in the `didResolveOperation` handler,
so return a listener with exactly that
diff --git a/.changeset/neat-lies-train.md b/.changeset/neat-lies-train.md
@@ -0,0 +1,5 @@
+---
+"@labdigital/federated-token-apollo": minor
+---
+
+Properly return GraphQLError when token is expired/invalid
diff --git a/.changeset/pre.json b/.changeset/pre.json
@@ -0,0 +1,11 @@
+{
+	"mode": "pre",
+	"tag": "1.6.0-beta.0",
+	"initialVersions": {
+		"@labdigital/federated-token-apollo": "1.4.3",
+		"@labdigital/federated-token": "1.4.3",
+		"@labdigital/federated-token-react": "1.5.0",
+		"@labdigital/federated-token-yoga": "1.4.3"
+	},
+	"changesets": []
+}
diff --git a/packages/apollo/src/gateway.test.ts b/packages/apollo/src/gateway.test.ts
@@ -35,9 +35,13 @@ describe("GatewayAuthPlugin", async () => {
 
 	const typeDefs = `#graphql
 	type Query {
+		hello(name: String): String!
 		testToken(create: Boolean, value: String): String!
 		refreshToken: String!
 	}
+	type Mutation {
+		createToken(create: Boolean, value: String, expired: Boolean): String!
+	}
 	`;
 	const resolvers = {
 		Query: {
@@ -52,7 +56,7 @@ describe("GatewayAuthPlugin", async () => {
 				if (create) {
 					context.federatedToken.setAccessToken("foo", {
 						token: "bar",
-						exp: Date.now() + 1000,
+						exp: Math.floor(Date.now() / 1000 + 1000),
 						sub: "my-user-id",
 					});
 					context.federatedToken.setRefreshToken("foo", "bar");
@@ -64,15 +68,53 @@ describe("GatewayAuthPlugin", async () => {
 
 				return JSON.stringify(context.federatedToken);
 			},
+			hello: (
+				_: unknown,
+				{ name }: { name: string },
+				context: PublicFederatedTokenContext,
+			) => {
+				return `Hello ${name}`;
+			},
 			refreshToken: (_: unknown, context: PublicFederatedTokenContext) => {
 				context.federatedToken?.setAccessToken("foo", {
 					token: "bar",
-					exp: Date.now() + 1000,
+					exp: Math.floor(Date.now() / 1000 - 1000),
 					sub: "my-user-id",
 				});
 				return JSON.stringify(context.federatedToken);
 			},
 		},
+		Mutation: {
+			createToken: (
+				_: unknown,
+				{
+					create,
+					value,
+					expired,
+				}: { create: boolean; value: string; expired: boolean },
+				context: PublicFederatedTokenContext,
+			) => {
+				if (!context.federatedToken) {
+					throw new Error("No federated token");
+				}
+				if (create) {
+					context.federatedToken.setAccessToken("foo", {
+						token: "bar",
+						exp: Math.floor(
+							expired ? Date.now() / 1000 - 1000 : Date.now() / 1000 + 1000,
+						),
+						sub: "my-user-id",
+					});
+					context.federatedToken.setRefreshToken("foo", "bar");
+				}
+
+				if (value) {
+					context.federatedToken.setValue("value", value);
+				}
+
+				return JSON.stringify(context.federatedToken);
+			},
+		},
 	};
 
 	const testServer = new ApolloServer({
@@ -222,4 +264,69 @@ describe("GatewayAuthPlugin", async () => {
 		assert.isNotEmpty(newAccessToken);
 		assert.notEqual(newAccessToken, accessToken);
 	});
+
+	it("should return GraphQLError when token expired", async () => {
+		const context = {
+			federatedToken: new PublicFederatedToken(),
+			res: httpMocks.createResponse(),
+			req: httpMocks.createRequest(),
+		};
+		await testServer.executeOperation(
+			{
+				query:
+					"mutation createToken { createToken(create: true, expired: true) }",
+				http: {
+					headers: new HeaderMap(),
+					method: "POST",
+					search: "",
+					body: "",
+				},
+			},
+			{
+				contextValue: context,
+			},
+		);
+		expect(context.res.statusCode).toBe(200);
+		expect(context.res.get("x-access-token")).toBeDefined();
+		expect(context.res.get("x-refresh-token")).toBeDefined();
+		const accessToken = context.res.get("x-access-token");
+
+		// Set received token
+		const newContext = {
+			federatedToken: new PublicFederatedToken(),
+			res: httpMocks.createResponse(),
+			req: httpMocks.createRequest({
+				headers: {
+					"x-access-token": `Bearer ${accessToken}`,
+				},
+			}),
+		};
+
+		const response = await testServer.executeOperation(
+			{
+				query: 'query hello { hello(name: "foobar") }',
+				http: {
+					headers: new HeaderMap([["x-access-token", `Bearer ${accessToken}`]]),
+					method: "POST",
+					search: "",
+					body: "",
+				},
+			},
+			{
+				contextValue: newContext,
+			},
+		);
+
+		expect(response.http.status).toBe(401);
+		assert(response.body.kind === "single"); // Make typescript happy
+		const errors = response.body.singleResult.errors;
+		expect(errors).toStrictEqual([
+			{
+				extensions: {
+					code: "UNAUTHENTICATED",
+				},
+				message: "Your token has expired.",
+			},
+		]);
+	});
 });
diff --git a/packages/apollo/src/gateway.ts b/packages/apollo/src/gateway.ts
@@ -1,6 +1,7 @@
 import type {
 	ApolloServerPlugin,
 	GraphQLRequestContext,
+	GraphQLRequestContextDidResolveSource,
 	GraphQLRequestListener,
 } from "@apollo/server";
 import { PublicFederatedToken } from "@labdigital/federated-token";
@@ -60,23 +61,37 @@ export class GatewayAuthPlugin<TContext extends PublicFederatedTokenContext>
 				this.tokenSource.deleteAccessToken(contextValue.req, contextValue.res);
 
 				if (e instanceof TokenExpiredError) {
-					throw new GraphQLError("Your token has expired.", {
-						extensions: {
-							code: "UNAUTHENTICATED",
-							http: {
-								statusCode: 401,
-							},
+					return {
+						didResolveOperation: async (
+							requestContext: GraphQLRequestContextDidResolveSource<TContext>,
+						) => {
+							requestContext.response.http.status = 401;
+							throw new GraphQLError("Your token has expired.", {
+								extensions: {
+									code: "UNAUTHENTICATED",
+									http: {
+										statusCode: 401,
+									},
+								},
+							});
 						},
-					});
+					};
 				} else {
-					throw new GraphQLError("Your token is invalid.", {
-						extensions: {
-							code: "INVALID_TOKEN",
-							http: {
-								statusCode: 400,
-							},
+					return {
+						didResolveOperation: async (
+							requestContext: GraphQLRequestContextDidResolveSource<TContext>,
+						) => {
+							requestContext.response.http.status = 401;
+							throw new GraphQLError("Your token is invalid.", {
+								extensions: {
+									code: "INVALID_TOKEN",
+									http: {
+										statusCode: 400,
+									},
+								},
+							});
 						},
-					});
+					};
 				}
 			}
 		}
@@ -95,23 +110,37 @@ export class GatewayAuthPlugin<TContext extends PublicFederatedTokenContext>
 			} catch (e: unknown) {
 				this.tokenSource.deleteDataToken(contextValue.req, contextValue.res);
 				if (e instanceof TokenExpiredError) {
-					throw new GraphQLError("Your token has expired.", {
-						extensions: {
-							code: "UNAUTHENTICATED",
-							http: {
-								statusCode: 401,
-							},
+					return {
+						didResolveOperation: async (
+							requestContext: GraphQLRequestContextDidResolveSource<TContext>,
+						) => {
+							requestContext.response.http.status = 401;
+							throw new GraphQLError("Your token has expired.", {
+								extensions: {
+									code: "UNAUTHENTICATED",
+									http: {
+										statusCode: 401,
+									},
+								},
+							});
 						},
-					});
+					};
 				} else {
-					throw new GraphQLError("Your token is invalid.", {
-						extensions: {
-							code: "INVALID_TOKEN",
-							http: {
-								statusCode: 400,
-							},
+					return {
+						didResolveOperation: async (
+							requestContext: GraphQLRequestContextDidResolveSource<TContext>,
+						) => {
+							requestContext.response.http.status = 401;
+							throw new GraphQLError("Your token is invalid.", {
+								extensions: {
+									code: "INVALID_TOKEN",
+									http: {
+										statusCode: 400,
+									},
+								},
+							});
 						},
-					});
+					};
 				}
 			}
 		}
diff --git a/packages/core/src/jwt.test.ts b/packages/core/src/jwt.test.ts
@@ -24,7 +24,7 @@ describe("PublicFederatedToken", async () => {
 
 	test("createAccessJWT", async () => {
 		const token = new PublicFederatedToken();
-		const expireAt = Date.now() + 60;
+		const expireAt = Math.floor(Date.now() / 1000 + 60);
 		token.tokens = {
 			exampleName: {
 				token: "exampleToken",
@@ -46,7 +46,7 @@ describe("PublicFederatedToken", async () => {
 		});
 
 		const token = new PublicFederatedToken();
-		const expireAt = Date.now() + 60;
+		const expireAt = Math.floor(Date.now() / 1000 + 60);
 		token.tokens = {
 			exampleName: {
 				token: "exampleToken",
@@ -73,7 +73,7 @@ describe("PublicFederatedToken", async () => {
 					},
 				},
 			},
-			Date.now() + 1000,
+			Math.floor(Date.now() / 1000 + 1000),
 		);
 
 		const token = new PublicFederatedToken();
diff --git a/packages/core/src/sign.ts b/packages/core/src/sign.ts
@@ -50,7 +50,7 @@ export class TokenSigner {
 					contentEncryptionAlgorithms: ["A256GCM"],
 				},
 			);
-			const data = new TextDecoder().decode(result.plaintext.buffer);
+			const data = new TextDecoder().decode(result.plaintext);
 			return JSON.parse(data);
 		} catch (e) {
 			throw createError(e);

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@labdigital/federated-token-apollo": minor
 +---
++
 +Properly return GraphQLError when token is expired/invalid