From 25c5fbc9475ba427c36f3f29b822aff7211f5af2 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 8 Dec 2025 06:33:26 +0000 Subject: [PATCH] fix(auth): improve robustness and add mock bypass - Update `lib/auth/jwt.ts` to include `MB_MOCK` in auth bypass logic. - Add explicit check for missing `AUTH0_DOMAIN` to prevent generic network errors. - Update `app/api/raven/route.ts` to handle configuration errors gracefully. - Update `lib/raven-formatting.ts` to translate configuration errors into user-friendly messages. --- app/api/raven/route.ts | 8 ++++++++ lib/auth/jwt.ts | 12 ++++++++++-- lib/raven-formatting.ts | 3 +++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/app/api/raven/route.ts b/app/api/raven/route.ts index b90a6aef..d8b49d48 100644 --- a/app/api/raven/route.ts +++ b/app/api/raven/route.ts @@ -1193,6 +1193,14 @@ Now deliver this reading in your authentic Raven Calder voice. Speak as if they' const errMsg = err?.message || String(err); console.error('[Raven Auth] Token verification failed:', errMsg); // Surface specific JWT errors for debugging + if (errMsg.includes('Missing AUTH0_DOMAIN')) { + return NextResponse.json({ + ok: false, + error: 'Configuration Error', + detail: 'Server is missing AUTH0_DOMAIN environment variable.', + hint: 'Please configure AUTH0_DOMAIN in your environment settings.' + }, { status: 500 }); + } if (errMsg.includes('jwt audience invalid')) { return NextResponse.json({ ok: false, diff --git a/lib/auth/jwt.ts b/lib/auth/jwt.ts index 5f5b5262..61580c88 100644 --- a/lib/auth/jwt.ts +++ b/lib/auth/jwt.ts @@ -6,10 +6,11 @@ import jwksClient from 'jwks-rsa'; const IS_DEV = process.env.NODE_ENV === 'development'; const AUTH0_DOMAIN = process.env.AUTH0_DOMAIN; const IS_DUMMY_CONFIG = AUTH0_DOMAIN === 'dummy.auth0.com'; -const SKIP_AUTH = IS_DEV && (!AUTH0_DOMAIN || IS_DUMMY_CONFIG); +const MB_MOCK = process.env.MB_MOCK === 'true' || process.env.MB_MOCK === '1'; +const SKIP_AUTH = (IS_DEV && (!AUTH0_DOMAIN || IS_DUMMY_CONFIG)) || MB_MOCK; if (SKIP_AUTH) { - console.warn('[WARN] Auth0 configuration missing or dummy in development. Authentication will be bypassed.'); + console.warn('[WARN] Auth0 configuration missing or dummy in development (or MB_MOCK active). Authentication will be bypassed.'); } const client = SKIP_AUTH @@ -53,6 +54,13 @@ export async function verifyToken(token: string) { return Promise.resolve(getMockUser()); } + // Guard against missing config in non-dev environments + if (!process.env.AUTH0_DOMAIN) { + const msg = 'Missing AUTH0_DOMAIN in environment variables'; + console.error(`[Auth] ${msg}`); + return Promise.reject(new Error(msg)); + } + return new Promise((resolve, reject) => { jwt.verify(token, getKey as any, jwtVerifyOptions, (err, decoded) => { if (err) { diff --git a/lib/raven-formatting.ts b/lib/raven-formatting.ts index af475593..09c35c82 100644 --- a/lib/raven-formatting.ts +++ b/lib/raven-formatting.ts @@ -63,6 +63,9 @@ export const formatFriendlyErrorMessage = (rawMessage: string, httpStatus?: numb if (r.includes('issuer mismatch') || r.includes('jwt issuer')) { return "Authentication error: Token issuer mismatch. Check that AUTH0_DOMAIN is configured correctly."; } + if (r.includes('missing auth0_domain')) { + return "Configuration Error: The server is missing the AUTH0_DOMAIN environment variable. Please ask the project owner to configure it."; + } if (/missing|invalid token|invalid token/i.test(r) || status === 401) { // Use hint if provided (skip redundant "sign out" instructions since we add our own) if (hint && !/sign.?out/i.test(hint)) {