feat(auth): improve error handling and response types

Author: Tahul

src/runtime/api/auth/authorize.ts

@@ -1,4 +1,4 @@
-import { H3Error, defineEventHandler, getRequestURL } from 'h3'
+import { H3Error, defineEventHandler, getRequestURL, sendError } from 'h3'
 import { useEdgeDbEnv, useEdgeDbPKCE } from '../../server'
 
 /**
@@ -16,7 +16,7 @@ export default defineEventHandler(async (req) => {
   if (!provider) {
     const err = new H3Error('Must provide a \'provider\' value in search parameters')
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const pkce = useEdgeDbPKCE()

src/runtime/api/auth/callback.ts

@@ -1,4 +1,4 @@
-import { H3Error, defineEventHandler, getCookie, getRequestURL, setHeaders } from 'h3'
+import { H3Error, defineEventHandler, getCookie, getRequestURL, sendError, setHeaders } from 'h3'
 import { useEdgeDbEnv } from '../../server'
 
 /**
@@ -16,14 +16,14 @@ export default defineEventHandler(async (req) => {
     const error = requestUrl.searchParams.get('error')
     const err = new H3Error(`OAuth callback is missing 'code'. OAuth provider responded with error: ${error}`)
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const verifier = getCookie(req, 'edgedb-pkce-verifier')
   if (!verifier) {
     const err = new H3Error(`Could not find 'verifier' in the cookie store. Is this the same user agent/browser that started the authorization flow?`)
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const codeExchangeUrl = new URL('token', authBaseUrl)
@@ -36,13 +36,13 @@ export default defineEventHandler(async (req) => {
   if (!codeExchangeResponse.ok) {
     const err = new H3Error(await codeExchangeResponse.text())
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const codeExchangeResponseData = await codeExchangeResponse.json()
 
   await useNitroApp().hooks.callHook(
-    'edgedb:auth:callback',
+    'edgedb:auth:callback' as any,
     {
       code,
       verifier,

src/runtime/api/auth/login.ts

@@ -1,4 +1,4 @@
-import { H3Error, defineEventHandler, readBody, setCookie } from 'h3'
+import { H3Error, defineEventHandler, readBody, sendError, setCookie } from 'h3'
 import { useEdgeDbEnv, useEdgeDbPKCE } from '../../server'
 
 export default defineEventHandler(async (req) => {
@@ -10,7 +10,7 @@ export default defineEventHandler(async (req) => {
   if (!email || !password || !provider) {
     const err = new H3Error(`Request body malformed. Expected JSON body with 'email', 'password', and 'provider' keys, but got: ${Object.entries({ email, password, provider }).filter(([, v]) => !!v)}`)
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const authenticateUrl = new URL('authenticate', authBaseUrl)
@@ -30,7 +30,7 @@ export default defineEventHandler(async (req) => {
   if (!authenticateResponse.ok) {
     const err = new H3Error(await authenticateResponse.text())
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const authenticateResponseData = await authenticateResponse.json()
@@ -45,7 +45,7 @@ export default defineEventHandler(async (req) => {
   if (!tokenResponse.ok) {
     const err = new H3Error(await tokenResponse.text())
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const tokenResponseData = await tokenResponse.json()

src/runtime/api/auth/logout.ts

@@ -1,19 +1,24 @@
 import { H3Error, defineEventHandler, getCookie, setCookie } from 'h3'
 
-export default defineEventHandler(async (event) => {
-  const authToken = getCookie(event, 'edgedb-auth-token')
+export default defineEventHandler(async (req) => {
+  const authToken = getCookie(req, 'edgedb-auth-token')
 
   if (!authToken) {
     const err = new H3Error('Not logged in')
     err.statusCode = 401
-    return err
+    return sendError(req, err)
   }
 
-  setCookie(event, 'edgedb-auth-token', '', {
-    httpOnly: true,
-    path: '/',
-    secure: true,
-    sameSite: true,
-    expires: new Date(0),
-  })
+  setCookie(
+    req,
+    'edgedb-auth-token',
+    '',
+    {
+      httpOnly: true,
+      path: '/',
+      secure: true,
+      sameSite: true,
+      expires: new Date(0),
+    },
+  )
 })

src/runtime/api/auth/reset-password.ts

@@ -1,4 +1,4 @@
-import { H3Error, defineEventHandler, getCookie, readBody, setHeaders } from 'h3'
+import { H3Error, defineEventHandler, getCookie, readBody, sendError, setHeaders } from 'h3'
 import { useEdgeDbEnv } from '../../server'
 
 /**
@@ -13,15 +13,15 @@ export default defineEventHandler(async (req) => {
   if (!reset_token || !password) {
     const err = new H3Error(`Request body malformed. Expected JSON body with 'reset_token' and 'password' keys.`)
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const provider = 'builtin::local_emailpassword'
   const verifier = getCookie(req, 'edgedb-pkce-verifier')
   if (!verifier) {
     const err = new H3Error(`Could not find 'verifier' in the cookie store. Is this the same user agent/browser that started the authorization flow?`)
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const resetUrl = new URL('reset-password', authBaseUrl)
@@ -40,7 +40,7 @@ export default defineEventHandler(async (req) => {
   if (!resetResponse.ok) {
     const err = new H3Error(await resetResponse.text())
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const { code } = await resetResponse.json()
@@ -54,7 +54,7 @@ export default defineEventHandler(async (req) => {
   if (!tokenResponse.ok) {
     const err = new H3Error(await tokenResponse.text())
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const tokenResponseData = await tokenResponse.json()

src/runtime/api/auth/send-password-reset-email.ts

@@ -1,4 +1,4 @@
-import { H3Error, defineEventHandler, readBody, setHeaders } from 'h3'
+import { H3Error, defineEventHandler, readBody, sendError, setHeaders } from 'h3'
 import { useEdgeDbEnv, useEdgeDbPKCE } from '../../server'
 
 /**
@@ -16,7 +16,7 @@ export default defineEventHandler(async (req) => {
   if (!email) {
     const err = new H3Error(`Request body is missing 'email'`)
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const sendResetUrl = new URL('send-reset-email', authBaseUrl)
@@ -36,7 +36,7 @@ export default defineEventHandler(async (req) => {
   if (!sendResetResponse.ok) {
     const err = new H3Error(await sendResetResponse.text())
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const { email_sent } = await sendResetResponse.json()

src/runtime/api/auth/signup.ts

@@ -1,4 +1,4 @@
-import { H3Error, defineEventHandler, readBody, setHeaders } from 'h3'
+import { H3Error, defineEventHandler, readBody, sendError, setHeaders } from 'h3'
 import { useEdgeDbEnv, useEdgeDbPKCE } from '../../server'
 
 /**
@@ -16,7 +16,7 @@ export default defineEventHandler(async (req) => {
   if (!email || !password || !provider) {
     const err = new H3Error(`Request body malformed. Expected JSON body with 'email', 'password', and 'provider' keys, but got: ${Object.entries({ email, password, provider }).filter(([, v]) => !!v)}`)
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const registerUrl = new URL('register', authBaseUrl)
@@ -37,7 +37,7 @@ export default defineEventHandler(async (req) => {
   if (!registerResponse.ok) {
     const err = new H3Error(`Error from auth server: ${await registerResponse.text()}`)
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const registerResponseData = await registerResponse.json()

src/runtime/api/auth/verify.ts

@@ -1,4 +1,4 @@
-import { H3Error, defineEventHandler, getCookie, getRequestURL, setHeaders } from 'h3'
+import { H3Error, defineEventHandler, getCookie, getRequestURL, sendError, setHeaders } from 'h3'
 import { useEdgeDbEnv } from '../../server'
 
 /**
@@ -14,14 +14,14 @@ export default defineEventHandler(async (req) => {
   if (!verification_token) {
     const err = new H3Error(`Verify request is missing 'verification_token' search param. The verification email is malformed.`)
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const verifier = getCookie(req, 'edgedb-pkce-verifier')
   if (!verifier) {
     const err = new H3Error(`Could not find 'verifier' in the cookie store. Is this the same user agent/browser that started the authorization flow?`)
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const verifyUrl = new URL('verify', authBaseUrl)
@@ -40,7 +40,7 @@ export default defineEventHandler(async (req) => {
   if (!verifyResponse.ok) {
     const err = new H3Error(await verifyResponse.text())
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const { code } = await verifyResponse.json()
@@ -55,7 +55,7 @@ export default defineEventHandler(async (req) => {
   if (!tokenResponse.ok) {
     const err = new H3Error(await tokenResponse.text())
     err.statusCode = 400
-    return err
+    return sendError(req, err)
   }
 
   const tokenResponseData = await tokenResponse.json()