2087 Fix error handling between blockchain and email service (#2090)

openkfw · Nov 11, 2024 · b1859c1 · b1859c1
1 parent 789517c
commit b1859c1
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 16 deletions.
diff --git a/blockchain/src/envVarsSchema.js b/blockchain/src/envVarsSchema.js
@@ -159,7 +159,7 @@ const envVarsSchema = Joi.object({
   JWT_SECRET: Joi.string()
     .when("EMAIL_SERVICE_ENABLED", {
       is: true,
-      then: Joi.required(),
+      then: Joi.required().when("JWT_ALGORITHM", { is: "RS256", then: Joi.string().base64().min(2240) }),
       otherwise: Joi.optional().allow("", null),
     })
     .note(

diff --git a/blockchain/src/multichain-feed/email-notifications/createAuthToken.js b/blockchain/src/multichain-feed/email-notifications/createAuthToken.js
@@ -1,14 +1,22 @@
-let jwt = require("jsonwebtoken");
+const jwt = require("jsonwebtoken");
 
 function createJWT(secret, id, algorithm = "HS256") {
+  if (!secret || typeof secret !== "string") {
+    throw new Error("Invalid or missing secret key.");
+  }
+
+  const supportedAlgorithms = ["HS256", "RS256"];
+  if (!supportedAlgorithms.includes(algorithm)) {
+    throw new Error(`Unsupported algorithm: ${algorithm}`);
+  }
+
   const secretOrPrivateKey = algorithm === "RS256" ? Buffer.from(secret, "base64") : secret;
-  return jwt.sign(
-    {
-      id,
-    },
-    secretOrPrivateKey,
-    { expiresIn: "8h", algorithm },
-  );
+
+  try {
+    return jwt.sign({ id }, secretOrPrivateKey, { expiresIn: "8h", algorithm });
+  } catch (error) {
+    throw new Error(`JWT creation failed: ${error.message}`);
+  }
 }
 
 module.exports = {

diff --git a/blockchain/src/multichain-feed/email-notifications/sendNotifications.js b/blockchain/src/multichain-feed/email-notifications/sendNotifications.js
@@ -20,6 +20,16 @@ function ExpiredTokenException(message) {
   this.name = "ExpiredTokenException";
 }
 
+function InvalidAlgorithmException(message) {
+  this.message = message;
+  this.name = "InvalidAlgorithmException";
+}
+
+function InvalidTokenException(message) {
+  this.message = message;
+  this.name = "InvalidTokenException";
+}
+
 function ConnectionRefusedException(message) {
   this.message = message;
   this.name = "ECONNREFUSED";
@@ -79,10 +89,15 @@ const sendNotifications = async (path, emailServiceSocketAddress, token, ssl = f
         }
       }
       switch (error.response.status) {
-        case 400:
-          // If Bearer token has expired
-          throw new ExpiredTokenException("JWT-Token expired");
-
+        case 400: {
+          if (error.response.data.message === "invalid algorithm") {
+            throw new InvalidAlgorithmException("invalid algorithm");
+          }
+          if (error.response.data.message === "jwt expired") {
+            throw new ExpiredTokenException("JWT-Token expired");
+          }
+          throw new InvalidTokenException("invalid token");
+        }
         case 404:
           // If no email address is found in the database delete the notification file
           if (error.response.data.notification.emailAddress === "Not Found") {
@@ -143,7 +158,13 @@ const [path, emailServiceSocketAddress, secret, maxPersistenceHours, loopInterva
 const absolutePath = process.cwd() + "/" + path;
 
 (async () => {
-  let token = createJWT(secret, "notification-watcher", algorithm);
+  let token;
+  try {
+    token = createJWT(secret, "notification-watcher", algorithm);
+  } catch (error) {
+    log.error(error, "Error creating JWT. Notification Watcher exiting.");
+    process.exit(1);
+  }
 
   while (true) {
     log.trace("Checking for new notifications");
@@ -154,8 +175,10 @@ const absolutePath = process.cwd() + "/" + path;
       if (error.name === "ExpiredTokenException") {
         token = createJWT(secret, "notification-watcher", algorithm);
         log.info("New JWT token created due to expiration.");
+      } else if (error.name === "InvalidAlgorithmException") {
+        log.error(error, `Notification e-mail request signed with invalid algorithm: ${algorithm}`);
       } else {
-        log.error("Error during notification processing:", error);
+        log.error(error, "Error during notification processing");
       }
     }
     await sleep(loopIntervalSeconds);

diff --git a/email-notification-service/src/middleware.ts b/email-notification-service/src/middleware.ts
@@ -48,7 +48,13 @@ export const verifyNotificationJWT = (req: Request, res, next): void => {
     })
     .catch((err) => {
       logger.error({ err, token }, "Notification-JWT invalid");
-      const body: InvalidJWTResponseBody = { message: "Invalid JWT token provided." };
+      let message = "Invalid JWT token provided.";
+      if (err.message === "invalid algorithm") {
+        message = err.message;
+      } else if (err.message === "jwt expired") {
+        message = err.message;
+      }
+      const body: InvalidJWTResponseBody = { message };
       res.status(400).json(body);
     });
 };