🛡️ Sentinel: Fix JWT token leakage in error parameters

[AGI-Corporation]

This PR addresses a security enhancement by preventing the disclosure of JWT tokens (even if invalid or expired) in error responses.

🚨 Severity: MEDIUM (Security Enhancement)

💡 Vulnerability

The INVALID_OR_EXPIRED_JWT_TOKEN error was including the full JWT token in its params object. The application's global errorHandler in packages/server/api/src/app/helper/error-handler.ts serializes these parameters directly into the response body.

🎯 Impact

Echoing back bearer tokens, even invalid ones, can provide an attacker with insights into the expected token format, structure, or content. It also leads to unnecessary exposure of tokens in logs (server-side and client-side) and through interception.

🔧 Fix

1. Shared Types: Modified packages/shared/src/lib/common/activepieces-error.ts to update the InvalidJwtTokenErrorParams type, removing the token field and replacing it with an empty Record<string, never>.
2. Service Logic: Updated packages/server/api/src/app/ee/connection-keys/connection-key.service.ts to stop passing the token when throwing the INVALID_OR_EXPIRED_JWT_TOKEN error.
3. Sentinel Journal: Documented this vulnerability pattern in .jules/sentinel.md to prevent future occurrences.

✅ Verification

• Verified code changes through manual inspection to ensure no sensitive fields are passed to ActivepiecesError.
• Ran pnpm nx test shared to ensure no regressions in core error handling types.
• Confirmed via git status that no unrelated artifacts (like pnpm-lock.yaml or build logs) are included in the submission.

---

PR created automatically by Jules for task 9029737308741381011 started by @AGI-Corporation

Summary by CodeRabbit

• Bug Fixes

  • Resolved a security vulnerability where authentication tokens were inadvertently exposed in error messages. Error responses no longer include sensitive token information.

• Documentation

  • Added security documentation outlining the token exposure issue and prevention strategies.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 56b97cdd-f88d-412b-822b-49368f0561f2

📥 Commits

Reviewing files that changed from the base of the PR and between f61e720 and 8093ebd.

📒 Files selected for processing (3)

• .jules/sentinel.md
• packages/server/api/src/app/ee/connection-keys/connection-key.service.ts
• packages/shared/src/lib/common/activepieces-error.ts

---

📝 Walkthrough

Walkthrough

This pull request implements a security fix that removes JWT token information from error responses to prevent sensitive token data from being exposed in error parameters and logs. The fix updates error type definitions and error handling implementations across the codebase.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	Added security note documenting the JWT token leakage vulnerability and proposing prevention strategies through parameter sanitization.
Error Type Definition packages/shared/src/lib/common/activepieces-error.ts	Modified InvalidJwtTokenErrorParams type to use Record<string, never> instead of { token: string }, preventing token data from being included in error parameters.
Error Handling Implementation packages/server/api/src/app/ee/connection-keys/connection-key.service.ts	Updated two error-throw branches to pass empty object {} instead of token-containing params to ActivepiecesError.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Tokens once leaked in error's cry,
Now safely hidden, secrets stay dry,
With types refined and handlers clean,
No JWT exposed shall e'er be seen! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides a comprehensive explanation of the vulnerability, impact, and fixes implemented. However, it does not strictly follow the template structure with 'What does this PR do?', 'Explain How the Feature Works', and 'Relevant User Scenarios' sections.	Consider restructuring the description to follow the template format with explicit sections for 'What does this PR do?', feature explanation, and relevant user scenarios, or clarify if a custom security-focused template is preferred.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main security fix: preventing JWT token leakage in error parameters. It directly relates to the primary change across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-jwt-token-leakage-in-error-params-9029737308741381011

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}