fix: self review test fixes (#955)

* feat: better error handling for invalid login/out challenges

* ci: make ci job only run if necessary

.circleci/config.yml

@@ -64,6 +64,12 @@ jobs:
 workflows:
     version: 2
     tagged-build:
+        when: # One must be true to trigger
+            or:
+                - equal: [true, <<pipeline.parameters.force>>]
+                - matches: { pattern: "dev-v[0-9]+(\\.[0-9]+)*", value: << pipeline.git.tag >> }
+                - matches: { pattern: "v[0-9]+(\\.[0-9]+)*", value: << pipeline.git.tag >> }
+                - equal: ["master", << pipeline.git.branch >>]
         jobs:
             - publish:
                   context:

lib/build/recipe/oauth2provider/api/implementation.js

@@ -169,6 +169,9 @@ function getAPIImplementation() {
                 challenge: logoutChallenge,
                 userContext,
             });
+            if ("error" in response) {
+                return response;
+            }
             const res = await utils_1.handleLogoutInternalRedirects({
                 response,
                 recipeImplementation: options.recipeImplementation,

lib/build/recipe/oauth2provider/recipeImplementation.js

@@ -803,12 +803,14 @@ function getRecipeInterface(
                     };
                 } else {
                     // Accept the logout challenge immediately as there is no supertokens session
-                    redirectTo = (
-                        await this.acceptLogoutRequest({
-                            challenge: logoutChallenge,
-                            userContext: input.userContext,
-                        })
-                    ).redirectTo;
+                    const acceptLogoutResponse = await this.acceptLogoutRequest({
+                        challenge: logoutChallenge,
+                        userContext: input.userContext,
+                    });
+                    if ("error" in acceptLogoutResponse) {
+                        return acceptLogoutResponse;
+                    }
+                    return { redirectTo: acceptLogoutResponse.redirectTo };
                 }
             }
             // CASE 2 or 3 (See above notes)
@@ -831,6 +833,14 @@ function getRecipeInterface(
                 {},
                 input.userContext
             );
+            if (resp.status !== "OK") {
+                return {
+                    status: "ERROR",
+                    statusCode: resp.statusCode,
+                    error: resp.error,
+                    errorDescription: resp.errorDescription,
+                };
+            }
             const redirectTo = getUpdatedRedirectTo(appInfo, resp.redirectTo);
             if (redirectTo.endsWith("/fallbacks/logout/callback")) {
                 return {

lib/build/recipe/oauth2provider/types.d.ts

@@ -354,9 +354,12 @@ export declare type RecipeInterface = {
     acceptLogoutRequest(input: {
         challenge: string;
         userContext: UserContext;
-    }): Promise<{
-        redirectTo: string;
-    }>;
+    }): Promise<
+        | {
+              redirectTo: string;
+          }
+        | ErrorOAuth2
+    >;
     rejectLogoutRequest(input: {
         challenge: string;
         userContext: UserContext;

lib/ts/recipe/oauth2provider/api/implementation.ts

@@ -185,6 +185,10 @@ export default function getAPIImplementation(): APIInterface {
                 userContext,
             });
 
+            if ("error" in response) {
+                return response;
+            }
+
             const res = await handleLogoutInternalRedirects({
                 response,
                 recipeImplementation: options.recipeImplementation,

lib/ts/recipe/oauth2provider/recipeImplementation.ts

@@ -819,12 +819,14 @@ export default function getRecipeInterface(
                     };
                 } else {
                     // Accept the logout challenge immediately as there is no supertokens session
-                    redirectTo = (
-                        await this.acceptLogoutRequest({
-                            challenge: logoutChallenge,
-                            userContext: input.userContext,
-                        })
-                    ).redirectTo;
+                    const acceptLogoutResponse = await this.acceptLogoutRequest({
+                        challenge: logoutChallenge,
+                        userContext: input.userContext,
+                    });
+                    if ("error" in acceptLogoutResponse) {
+                        return acceptLogoutResponse;
+                    }
+                    return { redirectTo: acceptLogoutResponse.redirectTo };
                 }
             }
 
@@ -851,6 +853,15 @@ export default function getRecipeInterface(
                 input.userContext
             );
 
+            if (resp.status !== "OK") {
+                return {
+                    status: "ERROR",
+                    statusCode: resp.statusCode,
+                    error: resp.error,
+                    errorDescription: resp.errorDescription,
+                };
+            }
+
             const redirectTo = getUpdatedRedirectTo(appInfo, resp.redirectTo);
 
             if (redirectTo.endsWith("/fallbacks/logout/callback")) {

lib/ts/recipe/oauth2provider/types.ts

@@ -412,7 +412,10 @@ export type RecipeInterface = {
         shouldTryRefresh: boolean;
         userContext: UserContext;
     }): Promise<{ redirectTo: string } | ErrorOAuth2>;
-    acceptLogoutRequest(input: { challenge: string; userContext: UserContext }): Promise<{ redirectTo: string }>;
+    acceptLogoutRequest(input: {
+        challenge: string;
+        userContext: UserContext;
+    }): Promise<{ redirectTo: string } | ErrorOAuth2>;
     rejectLogoutRequest(input: { challenge: string; userContext: UserContext }): Promise<{ status: "OK" }>;
 };