fix: restore drawing auth failures and health checks

Author: ZimengXiong

backend/src/__tests__/link-sharing-public.integration.ts

@@ -6,9 +6,20 @@ import { StringValue } from "ms";
 import { PrismaClient } from "../generated/client";
 import { config } from "../config";
 import { getTestPrisma, setupTestDb } from "./testUtils";
+import {
+  ACCESS_TOKEN_COOKIE_NAME,
+  REFRESH_TOKEN_COOKIE_NAME,
+} from "../auth/cookies";
 
 describe("Link Sharing - Public By Drawing ID", () => {
   const userAgent = "vitest-link-sharing-public";
+  const createRefreshToken = (user: { id: string; email: string }) =>
+    jwt.sign(
+      { userId: user.id, email: user.email, type: "refresh" },
+      config.jwtSecret,
+      { expiresIn: config.jwtRefreshExpiresIn as StringValue }
+    );
+
   let prisma: PrismaClient;
   let app: any;
 
@@ -34,6 +45,34 @@ describe("Link Sharing - Public By Drawing ID", () => {
     });
   };
 
+  const createLinkShare = async (
+    drawingId: string,
+    permission: "view" | "edit"
+  ) => {
+    const response = await ownerAgent
+      .post(`/drawings/${drawingId}/link-shares`)
+      .set("User-Agent", userAgent)
+      .set("Authorization", `Bearer ${ownerToken}`)
+      .set(ownerCsrfHeaderName, ownerCsrfToken)
+      .send({ permission });
+
+    expect(response.status).toBe(200);
+    return response;
+  };
+
+  const createAnonymousAgentWithCsrf = async () => {
+    const anonAgent = request.agent(app);
+    const anonCsrfRes = await anonAgent
+      .get("/csrf-token")
+      .set("User-Agent", userAgent);
+
+    return {
+      anonAgent,
+      anonCsrfHeaderName: anonCsrfRes.body.header as string,
+      anonCsrfToken: anonCsrfRes.body.token as string,
+    };
+  };
+
   beforeAll(async () => {
     setupTestDb();
     prisma = getTestPrisma();
@@ -88,14 +127,7 @@ describe("Link Sharing - Public By Drawing ID", () => {
 
   it("allows anonymous GET when link-share policy is view", async () => {
     const drawing = await createDrawing();
-
-    const linkRes = await ownerAgent
-      .post(`/drawings/${drawing.id}/link-shares`)
-      .set("User-Agent", userAgent)
-      .set("Authorization", `Bearer ${ownerToken}`)
-      .set(ownerCsrfHeaderName, ownerCsrfToken)
-      .send({ permission: "view" });
-    expect(linkRes.status).toBe(200);
+    await createLinkShare(drawing.id, "view");
 
     const anonGet = await request(app)
       .get(`/drawings/${drawing.id}`)
@@ -104,12 +136,8 @@ describe("Link Sharing - Public By Drawing ID", () => {
     expect(anonGet.body?.id).toBe(drawing.id);
     expect(anonGet.body?.accessLevel).toBe("view");
 
-    const anonAgent = request.agent(app);
-    const anonCsrfRes = await anonAgent
-      .get("/csrf-token")
-      .set("User-Agent", userAgent);
-    const anonCsrfHeaderName = anonCsrfRes.body.header;
-    const anonCsrfToken = anonCsrfRes.body.token;
+    const { anonAgent, anonCsrfHeaderName, anonCsrfToken } =
+      await createAnonymousAgentWithCsrf();
 
     const anonPut = await anonAgent
       .put(`/drawings/${drawing.id}`)
@@ -119,23 +147,45 @@ describe("Link Sharing - Public By Drawing ID", () => {
     expect(anonPut.status).toBe(404);
   });
 
-  it("allows anonymous PUT when link-share policy is edit", async () => {
+  it("still allows anonymous GET when a stale access-token cookie is present", async () => {
     const drawing = await createDrawing();
+    await createLinkShare(drawing.id, "view");
 
-    const linkRes = await ownerAgent
-      .post(`/drawings/${drawing.id}/link-shares`)
+    const response = await request(app)
+      .get(`/drawings/${drawing.id}`)
       .set("User-Agent", userAgent)
-      .set("Authorization", `Bearer ${ownerToken}`)
-      .set(ownerCsrfHeaderName, ownerCsrfToken)
-      .send({ permission: "edit" });
-    expect(linkRes.status).toBe(200);
+      .set(
+        "Cookie",
+        `${ACCESS_TOKEN_COOKIE_NAME}=${createRefreshToken(ownerUser)}`
+      );
 
-    const anonAgent = request.agent(app);
-    const anonCsrfRes = await anonAgent
-      .get("/csrf-token")
-      .set("User-Agent", userAgent);
-    const anonCsrfHeaderName = anonCsrfRes.body.header;
-    const anonCsrfToken = anonCsrfRes.body.token;
+    expect(response.status).toBe(200);
+    expect(response.body?.id).toBe(drawing.id);
+    expect(response.body?.accessLevel).toBe("view");
+  });
+
+  it("still allows anonymous GET when only a refresh-token cookie is present", async () => {
+    const drawing = await createDrawing();
+    await createLinkShare(drawing.id, "view");
+
+    const response = await request(app)
+      .get(`/drawings/${drawing.id}`)
+      .set("User-Agent", userAgent)
+      .set(
+        "Cookie",
+        `${REFRESH_TOKEN_COOKIE_NAME}=${createRefreshToken(ownerUser)}`
+      );
+
+    expect(response.status).toBe(200);
+    expect(response.body?.id).toBe(drawing.id);
+    expect(response.body?.accessLevel).toBe("view");
+  });
+
+  it("allows anonymous PUT when link-share policy is edit", async () => {
+    const drawing = await createDrawing();
+    await createLinkShare(drawing.id, "edit");
+    const { anonAgent, anonCsrfHeaderName, anonCsrfToken } =
+      await createAnonymousAgentWithCsrf();
 
     const anonPut = await anonAgent
       .put(`/drawings/${drawing.id}`)
@@ -147,6 +197,97 @@ describe("Link Sharing - Public By Drawing ID", () => {
     expect(anonPut.body?.name).toBe("Renamed By Anonymous");
   });
 
+  it("still allows anonymous PUT when edit link-share is active and a stale access-token cookie is present", async () => {
+    const drawing = await createDrawing();
+    await createLinkShare(drawing.id, "edit");
+    const { anonAgent, anonCsrfHeaderName, anonCsrfToken } =
+      await createAnonymousAgentWithCsrf();
+
+    const response = await anonAgent
+      .put(`/drawings/${drawing.id}`)
+      .set("User-Agent", userAgent)
+      .set(
+        "Cookie",
+        `${ACCESS_TOKEN_COOKIE_NAME}=${createRefreshToken(ownerUser)}`
+      )
+      .set(anonCsrfHeaderName, anonCsrfToken)
+      .send({ name: "Edited With Stale Cookie" });
+
+    expect(response.status).toBe(200);
+    expect(response.body?.id).toBe(drawing.id);
+    expect(response.body?.name).toBe("Edited With Stale Cookie");
+  });
+
+  it("still allows anonymous PUT when only a refresh-token cookie is present", async () => {
+    const drawing = await createDrawing();
+    await createLinkShare(drawing.id, "edit");
+    const { anonAgent, anonCsrfHeaderName, anonCsrfToken } =
+      await createAnonymousAgentWithCsrf();
+
+    const response = await anonAgent
+      .put(`/drawings/${drawing.id}`)
+      .set("User-Agent", userAgent)
+      .set(
+        "Cookie",
+        `${REFRESH_TOKEN_COOKIE_NAME}=${createRefreshToken(ownerUser)}`
+      )
+      .set(anonCsrfHeaderName, anonCsrfToken)
+      .send({ name: "Edited With Refresh Cookie" });
+
+    expect(response.status).toBe(200);
+    expect(response.body?.id).toBe(drawing.id);
+    expect(response.body?.name).toBe("Edited With Refresh Cookie");
+  });
+
+  it("returns 401 for a private drawing when a stale access-token cookie is present", async () => {
+    const drawing = await createDrawing();
+
+    const response = await request(app)
+      .get(`/drawings/${drawing.id}`)
+      .set("User-Agent", userAgent)
+      .set(
+        "Cookie",
+        `${ACCESS_TOKEN_COOKIE_NAME}=${createRefreshToken(ownerUser)}`
+      );
+
+    expect(response.status).toBe(401);
+    expect(response.body?.message).toBe("Invalid or expired token");
+  });
+
+  it("returns 401 for a private drawing when only a refresh-token cookie is present", async () => {
+    const drawing = await createDrawing();
+
+    const response = await request(app)
+      .get(`/drawings/${drawing.id}`)
+      .set("User-Agent", userAgent)
+      .set(
+        "Cookie",
+        `${REFRESH_TOKEN_COOKIE_NAME}=${createRefreshToken(ownerUser)}`
+      );
+
+    expect(response.status).toBe(401);
+    expect(response.body?.message).toBe("Invalid or expired token");
+  });
+
+  it("returns 401 for a private drawing PUT when a stale access-token cookie is present", async () => {
+    const drawing = await createDrawing();
+    const { anonAgent, anonCsrfHeaderName, anonCsrfToken } =
+      await createAnonymousAgentWithCsrf();
+
+    const response = await anonAgent
+      .put(`/drawings/${drawing.id}`)
+      .set("User-Agent", userAgent)
+      .set(
+        "Cookie",
+        `${ACCESS_TOKEN_COOKIE_NAME}=${createRefreshToken(ownerUser)}`
+      )
+      .set(anonCsrfHeaderName, anonCsrfToken)
+      .send({ name: "Should Fail" });
+
+    expect(response.status).toBe(401);
+    expect(response.body?.message).toBe("Invalid or expired token");
+  });
+
   it("revokes previous active link-share when creating a new one", async () => {
     const drawing = await createDrawing();
 
@@ -180,4 +321,3 @@ describe("Link Sharing - Public By Drawing ID", () => {
     expect(activeCount).toBe(1);
   });
 });
-

backend/src/auth/cookies.test.ts

@@ -0,0 +1,50 @@
+import type { Request, Response } from "express";
+import ms, { type StringValue } from "ms";
+import { describe, expect, it, vi } from "vitest";
+import { config } from "../config";
+import {
+  ACCESS_TOKEN_COOKIE_NAME,
+  REFRESH_TOKEN_COOKIE_NAME,
+  setAuthCookies,
+} from "./cookies";
+
+const createRequest = (): Request =>
+  ({
+    secure: false,
+    headers: {},
+    app: {
+      get: vi.fn().mockReturnValue(false),
+    },
+  }) as unknown as Request;
+
+const createResponse = (): Response =>
+  ({
+    cookie: vi.fn().mockReturnThis(),
+  }) as unknown as Response;
+
+describe("auth cookies", () => {
+  it("keeps the access-token cookie aligned with the access-token lifetime", () => {
+    const req = createRequest();
+    const res = createResponse();
+
+    setAuthCookies(req, res, {
+      accessToken: "access-token",
+      refreshToken: "refresh-token",
+    });
+
+    expect(res.cookie).toHaveBeenCalledTimes(2);
+
+    const accessCall = (res.cookie as any).mock.calls.find(
+      (call: unknown[]) => call[0] === ACCESS_TOKEN_COOKIE_NAME
+    );
+    const refreshCall = (res.cookie as any).mock.calls.find(
+      (call: unknown[]) => call[0] === REFRESH_TOKEN_COOKIE_NAME
+    );
+
+    expect(accessCall).toBeTruthy();
+    expect(refreshCall).toBeTruthy();
+    expect(accessCall[2].maxAge).toBe(ms(config.jwtAccessExpiresIn as StringValue));
+    expect(refreshCall[2].maxAge).toBe(ms(config.jwtRefreshExpiresIn as StringValue));
+    expect(accessCall[2].maxAge).not.toBe(refreshCall[2].maxAge);
+  });
+});

backend/src/middleware/auth.ts

@@ -4,7 +4,11 @@ import { config } from "../config";
 import { PrismaClient } from "../generated/client";
 import { prisma as defaultPrisma } from "../db/prisma";
 import { createAuthModeService, type AuthModeService } from "../auth/authMode";
-import { ACCESS_TOKEN_COOKIE_NAME, readCookie } from "../auth/cookies";
+import {
+  ACCESS_TOKEN_COOKIE_NAME,
+  REFRESH_TOKEN_COOKIE_NAME,
+  readCookie,
+} from "../auth/cookies";
 
 declare global {
   namespace Express {
@@ -22,6 +26,9 @@ declare global {
         kind: "user";
         userId: string;
       };
+      authError?: {
+        code: "INVALID_ACCESS_TOKEN" | "ACCESS_TOKEN_MISSING";
+      };
     }
   }
 }
@@ -60,6 +67,9 @@ const extractToken = (req: Request): string | null => {
   return readCookie(req, ACCESS_TOKEN_COOKIE_NAME);
 };
 
+const hasRefreshTokenCookie = (req: Request): boolean =>
+  readCookie(req, REFRESH_TOKEN_COOKIE_NAME) !== null;
+
 const verifyToken = (token: string): JwtPayload | null => {
   try {
     const decoded = jwt.verify(token, config.jwtSecret);
@@ -227,12 +237,17 @@ export const createAuthMiddleware = ({
     const token = extractToken(req);
 
     if (!token) {
+      if (hasRefreshTokenCookie(req)) {
+        req.authError = { code: "ACCESS_TOKEN_MISSING" };
+        return next();
+      }
       return next();
     }
 
     const payload = verifyToken(token);
 
     if (!payload) {
+      req.authError = { code: "INVALID_ACCESS_TOKEN" };
       return next();
     }
 

backend/src/routes/dashboard/drawings.ts

@@ -67,6 +67,19 @@ export const registerDrawingRoutes = (
     return 90 * 24 * 60 * 60 * 1000;
   };
 
+  const respondWithAuthErrorIfPresent = (
+    req: express.Request,
+    res: express.Response
+  ): boolean => {
+    if (!req.authError) return false;
+
+    res.status(401).json({
+      error: "Unauthorized",
+      message: "Invalid or expired token",
+    });
+    return true;
+  };
+
   app.get("/drawings", requireAuth, asyncHandler(async (req, res) => {
     if (!req.user) {
       return res.status(401).json({ error: "Unauthorized" });
@@ -325,6 +338,7 @@ export const registerDrawingRoutes = (
     const { id } = req.params;
     const access = await getDrawingAccess({ prisma, principal, drawingId: id });
     if (!canViewDrawing(access)) {
+      if (respondWithAuthErrorIfPresent(req, res)) return;
       return res.status(404).json({ error: "Drawing not found", message: "Drawing does not exist" });
     }
 
@@ -412,6 +426,7 @@ export const registerDrawingRoutes = (
     const { id } = req.params;
     const access = await getDrawingAccess({ prisma, principal, drawingId: id });
     if (!canEditDrawing(access)) {
+      if (respondWithAuthErrorIfPresent(req, res)) return;
       return res.status(404).json({ error: "Drawing not found" });
     }