fix: return HTTP 401 for unauthorized mutations and handle expired tokens

clintonlunn · clintonlunn · commit 6c00f7ccfde0 · 2026-01-09T09:44:58.000-07:00
diff --git a/src/auth/middleware.ts b/src/auth/middleware.ts
@@ -45,7 +45,9 @@ async function validateTokenAndExtractUser (req: Request): Promise<CustomContext
       }
     } catch (e) {
       logger.error(`Can't verify JWT token ${e.toString() as string}`)
-      throw new Error("Unauthorized. Can't verify JWT token")
+      // Return empty user instead of throwing - allows public queries to work
+      // Mutations will be blocked by graphql-shield permissions
+      return { user: EMTPY_USER }
     }
   }
 
diff --git a/src/auth/permissions.ts b/src/auth/permissions.ts
@@ -1,3 +1,4 @@
+import { GraphQLError } from 'graphql'
 import { allow, and, or, shield } from 'graphql-shield'
 import { isEditor, isMediaOwner, isOwner, isUserAdmin, isValidEmail } from './rules.js'
 
@@ -24,7 +25,10 @@ const permissions = shield({
 },
 {
   allowExternalErrors: true,
-  fallbackRule: allow
+  fallbackRule: allow,
+  fallbackError: new GraphQLError('Not Authorised!', {
+    extensions: { code: 'FORBIDDEN' }
+  })
 })
 
 export default permissions
diff --git a/src/server.ts b/src/server.ts
@@ -1,4 +1,4 @@
-import { ApolloServer } from '@apollo/server'
+import { ApolloServer, ApolloServerPlugin } from '@apollo/server'
 import { expressMiddleware } from '@apollo/server/express4'
 import { ApolloServerPluginDrainHttpServer } from '@apollo/server/plugin/drainHttpServer'
 import express from 'express'
@@ -8,6 +8,26 @@ import bodyParser from 'body-parser'
 import { InMemoryLRUCache } from '@apollo/utils.keyvaluecache'
 
 import { applyMiddleware } from 'graphql-middleware'
+
+/**
+ * Plugin to return HTTP 401 for FORBIDDEN errors (unauthorized mutations)
+ */
+const httpStatusPlugin: ApolloServerPlugin = {
+  async requestDidStart () {
+    return {
+      async willSendResponse ({ response }) {
+        // Check if any error has FORBIDDEN code
+        const hasForbiddenError = response.body.kind === 'single' &&
+          response.body.singleResult.errors?.some(
+            (err) => err.extensions?.code === 'FORBIDDEN'
+          )
+        if (hasForbiddenError) {
+          response.http.status = 401
+        }
+      }
+    }
+  }
+}
 import { graphqlSchema } from './graphql/resolvers.js'
 import MutableAreaDataSource from './model/MutableAreaDataSource.js'
 import ChangeLogDataSource from './model/ChangeLogDataSource.js'
@@ -47,7 +67,10 @@ export async function createServer (): Promise<{ app: express.Application, serve
   const server = new ApolloServer({
     introspection: true,
     schema,
-    plugins: [ApolloServerPluginDrainHttpServer({ httpServer })],
+    plugins: [
+      ApolloServerPluginDrainHttpServer({ httpServer }),
+      httpStatusPlugin
+    ],
     cache: new InMemoryLRUCache({
       max: 50,
       maxSize: 1024 * 1024 * 10

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,9 @@ async function validateTokenAndExtractUser (req: Request): Promise<CustomContext`
`45`	`45`	`}`
`46`	`46`	`} catch (e) {`
`47`	`47`	logger.error(`Can't verify JWT token ${e.toString() as string}`)
`48`		`- throw new Error("Unauthorized. Can't verify JWT token")`
	`48`	`+ // Return empty user instead of throwing - allows public queries to work`
	`49`	`+ // Mutations will be blocked by graphql-shield permissions`
	`50`	`+ return { user: EMTPY_USER }`
`49`	`51`	`}`
`50`	`52`	`}`
`51`	`53`