Fix 401 error handling, add tests (#507)

* Add WWW-Authenticate to exposed CORS headers

* Fix 401 error handling, add tests

* Add a test for expired token error

* Update to supertest 3.0.0

* Convert 401 tests to Promise interface

* Rewrite error-pages handler, add tests

* Change 401 error logic on empty bearer token

* Return a 400 error on empty bearer token header

Author: dmitrizagidulin

lib/api/authn/webid-oidc.js

@@ -67,6 +67,78 @@ function middleware (oidc) {
   return router
 }
 
+/**
+ * Sets the `WWW-Authenticate` response header for 401 error responses.
+ * Used by error-pages handler.
+ *
+ * @param req {IncomingRequest}
+ * @param res {ServerResponse}
+ * @param err {Error}
+ */
+function setAuthenticateHeader (req, res, err) {
+  let locals = req.app.locals
+
+  let errorParams = {
+    realm: locals.host.serverUri,
+    scope: 'openid',
+    error: err.error,
+    error_description: err.error_description,
+    error_uri: err.error_uri
+  }
+
+  let challengeParams = Object.keys(errorParams)
+    .filter(key => !!errorParams[key])
+    .map(key => `${key}="${errorParams[key]}"`)
+    .join(', ')
+
+  res.set('WWW-Authenticate', 'Bearer ' + challengeParams)
+}
+
+/**
+ * Provides custom logic for error status code overrides.
+ *
+ * @param statusCode {number}
+ * @param req {IncomingRequest}
+ *
+ * @returns {number}
+ */
+function statusCodeOverride (statusCode, req) {
+  if (isEmptyToken(req)) {
+    return 400
+  } else {
+    return statusCode
+  }
+}
+
+/**
+ * Tests whether the `Authorization:` header includes an empty or missing Bearer
+ * token.
+ *
+ * @param req {IncomingRequest}
+ *
+ * @returns {boolean}
+ */
+function isEmptyToken (req) {
+  let header = req.get('Authorization')
+
+  if (!header) { return false }
+
+  if (header.startsWith('Bearer')) {
+    let fragments = header.split(' ')
+
+    if (fragments.length === 1) {
+      return true
+    } else if (!fragments[1]) {
+      return true
+    }
+  }
+
+  return false
+}
+
 module.exports = {
-  middleware
+  isEmptyToken,
+  middleware,
+  setAuthenticateHeader,
+  statusCodeOverride
 }

lib/api/authn/webid-tls.js

@@ -1,6 +1,3 @@
-module.exports = handler
-module.exports.authenticate = authenticate
-
 var webid = require('webid/tls')
 var debug = require('../../debug').authentication
 
@@ -43,3 +40,23 @@ function setEmptySession (req) {
   req.session.userId = ''
   req.session.identified = false
 }
+
+/**
+ * Sets the `WWW-Authenticate` response header for 401 error responses.
+ * Used by error-pages handler.
+ *
+ * @param req {IncomingRequest}
+ * @param res {ServerResponse}
+ */
+function setAuthenticateHeader (req, res) {
+  let locals = req.app.locals
+
+  res.set('WWW-Authenticate', `WebID-TLS realm="${locals.host.serverUri}"`)
+}
+
+module.exports = {
+  authenticate,
+  handler,
+  setAuthenticateHeader,
+  setEmptySession
+}

lib/create-app.js

@@ -25,7 +25,7 @@ const corsSettings = cors({
   methods: [
     'OPTIONS', 'HEAD', 'GET', 'PATCH', 'POST', 'PUT', 'DELETE'
   ],
-  exposedHeaders: 'Authorization, User, Location, Link, Vary, Last-Modified, ETag, Accept-Patch, Accept-Post, Updates-Via, Allow, Content-Length',
+  exposedHeaders: 'Authorization, User, Location, Link, Vary, Last-Modified, ETag, Accept-Patch, Accept-Post, Updates-Via, Allow, Content-Length, WWW-Authenticate',
   credentials: true,
   maxAge: 1728000,
   origin: true,
@@ -71,7 +71,7 @@ function createApp (argv = {}) {
   app.use('/', LdpMiddleware(corsSettings))
 
   // Errors
-  app.use(errorPages)
+  app.use(errorPages.handler)
 
   return app
 }

lib/handlers/error-pages.js

@@ -1,53 +1,188 @@
-module.exports = handler
+const debug = require('../debug').server
+const fs = require('fs')
+const util = require('../utils')
+const Auth = require('../api/authn')
 
-var debug = require('../debug').server
-var fs = require('fs')
-var util = require('../utils')
+// Authentication methods that require a Provider Select page
+const SELECT_PROVIDER_AUTH_METHODS = ['oidc']
 
+/**
+ * Serves as a last-stop error handler for all other middleware.
+ *
+ * @param err {Error}
+ * @param req {IncomingRequest}
+ * @param res {ServerResponse}
+ * @param next {Function}
+ */
 function handler (err, req, res, next) {
   debug('Error page because of ' + err.message)
 
-  var ldp = req.app.locals.ldp
-
-  if (err.status === 401 &&
-      req.accepts('text/html') &&
-      ldp.auth === 'oidc') {
-    debug('401 error - redirect to Select Provider')
-    res.status(err.status)
-    redirectToLogin(req, res, next)
-    return
-  }
+  let locals = req.app.locals
+  let authMethod = locals.authMethod
+  let ldp = locals.ldp
 
-  // If the user specifies this function
-  // then, they can customize the error programmatically
+  // If the user specifies this function,
+  // they can customize the error programmatically
   if (ldp.errorHandler) {
+    debug('Using custom error handler')
     return ldp.errorHandler(err, req, res, next)
   }
 
+  let statusCode = statusCodeFor(err, req, authMethod)
+
+  if (statusCode === 401) {
+    setAuthenticateHeader(req, res, err)
+  }
+
+  if (requiresSelectProvider(authMethod, statusCode, req)) {
+    return redirectToSelectProvider(req, res)
+  }
+
   // If noErrorPages is set,
-  // then use built-in express default error handler
+  // then return the response directly
   if (ldp.noErrorPages) {
-    res
-      .status(err.status)
-      .send(err.message + '\n' || '')
-    return
+    sendErrorResponse(statusCode, res, err)
+  } else {
+    sendErrorPage(statusCode, res, err, ldp)
+  }
+}
+
+/**
+ * Returns the HTTP status code for a given request error.
+ *
+ * @param err {Error}
+ * @param req {IncomingRequest}
+ * @param authMethod {string}
+ *
+ * @returns {number}
+ */
+function statusCodeFor (err, req, authMethod) {
+  let statusCode = err.status || err.statusCode || 500
+
+  if (authMethod === 'oidc') {
+    statusCode = Auth.oidc.statusCodeOverride(statusCode, req)
   }
 
-  // Check if error page exists
-  var errorPage = ldp.errorPages + err.status.toString() + '.html'
-  fs.readFile(errorPage, 'utf8', function (readErr, text) {
-    if (readErr) {
-      return res
-        .status(err.status)
-        .send(err.message || '')
-    }
-
-    res.status(err.status)
-    res.header('Content-Type', 'text/html')
-    res.send(text)
+  return statusCode
+}
+
+/**
+ * Tests whether a given authentication method requires a Select Provider
+ * page redirect for 401 error responses.
+ *
+ * @param authMethod {string}
+ * @param statusCode {number}
+ * @param req {IncomingRequest}
+ *
+ * @returns {boolean}
+ */
+function requiresSelectProvider (authMethod, statusCode, req) {
+  if (statusCode !== 401) { return false }
+
+  if (!SELECT_PROVIDER_AUTH_METHODS.includes(authMethod)) { return false }
+
+  if (!req.accepts('text/html')) { return false }
+
+  return true
+}
+
+/**
+ * Dispatches the writing of the `WWW-Authenticate` response header (used for
+ * 401 Unauthorized responses).
+ *
+ * @param req {IncomingRequest}
+ * @param res {ServerResponse}
+ * @param err {Error}
+ */
+function setAuthenticateHeader (req, res, err) {
+  let locals = req.app.locals
+  let authMethod = locals.authMethod
+
+  switch (authMethod) {
+    case 'oidc':
+      Auth.oidc.setAuthenticateHeader(req, res, err)
+      break
+    case 'tls':
+      Auth.tls.setAuthenticateHeader(req, res)
+      break
+    default:
+      break
+  }
+}
+
+/**
+ * Sends the HTTP status code and error message in the response.
+ *
+ * @param statusCode {number}
+ * @param res {ServerResponse}
+ * @param err {Error}
+ */
+function sendErrorResponse (statusCode, res, err) {
+  res.status(statusCode)
+  res.send(err.message + '\n')
+}
+
+/**
+ * Sends the HTTP status code and error message as a custom error page.
+ *
+ * @param statusCode {number}
+ * @param res {ServerResponse}
+ * @param err {Error}
+ * @param ldp {LDP}
+ */
+function sendErrorPage (statusCode, res, err, ldp) {
+  let errorPage = ldp.errorPages + statusCode.toString() + '.html'
+
+  return new Promise((resolve) => {
+    fs.readFile(errorPage, 'utf8', (readErr, text) => {
+      if (readErr) {
+        // Fall back on plain error response
+        return resolve(sendErrorResponse(statusCode, res, err))
+      }
+
+      res.status(statusCode)
+      res.header('Content-Type', 'text/html')
+      res.send(text)
+      resolve()
+    })
   })
 }
 
+/**
+ * Sends a 401 response with an HTML http-equiv type redirect body, to
+ * redirect any users requesting a resource directly in the browser to the
+ * Select Provider page and login workflow.
+ * Implemented as a 401 + redirect body instead of a 302 to provide a useful
+ * 401 response to REST/XHR clients.
+ *
+ * @param req {IncomingRequest}
+ * @param res {ServerResponse}
+ */
+function redirectToSelectProvider (req, res) {
+  res.status(401)
+  res.header('Content-Type', 'text/html')
+
+  let currentUrl = util.fullUrlForReq(req)
+  req.session.returnToUrl = currentUrl
+
+  let locals = req.app.locals
+  let loginUrl = locals.host.serverUri +
+    '/api/auth/select-provider?returnToUrl=' + currentUrl
+  debug('Redirecting to Select Provider: ' + loginUrl)
+
+  let body = redirectBody(loginUrl)
+  res.send(body)
+}
+
+/**
+ * Returns a response body for redirecting browsers to a Select Provider /
+ * login workflow page. Uses either a JS location.href redirect or an
+ * http-equiv type html redirect for no-script conditions.
+ *
+ * @param url {string}
+ *
+ * @returns {string} Response body
+ */
 function redirectBody (url) {
   return `<!DOCTYPE HTML>
 <meta charset="UTF-8">
@@ -63,15 +198,12 @@ follow the <a href='${url}'>link to login</a>
 `
 }
 
-function redirectToLogin (req, res) {
-  res.header('Content-Type', 'text/html')
-  var currentUrl = util.fullUrlForReq(req)
-  req.session.returnToUrl = currentUrl
-  let locals = req.app.locals
-  let loginUrl = locals.host.serverUri +
-    '/api/auth/select-provider?returnToUrl=' + currentUrl
-  debug('Redirecting to Select Provider: ' + loginUrl)
-
-  var body = redirectBody(loginUrl)
-  res.send(body)
+module.exports = {
+  handler,
+  redirectBody,
+  redirectToSelectProvider,
+  requiresSelectProvider,
+  sendErrorPage,
+  sendErrorResponse,
+  setAuthenticateHeader
 }

package.json

@@ -88,7 +88,7 @@
     "sinon": "^2.1.0",
     "sinon-chai": "^2.8.0",
     "standard": "^8.6.0",
-    "supertest": "^1.2.0"
+    "supertest": "^3.0.0"
   },
   "main": "index.js",
   "scripts": {