From 05b60b2dc6bd2187501b2583cdaa27a90c45b1d5 Mon Sep 17 00:00:00 2001
From: John Estabrook <jestabro@vyos.io>
Date: Mon, 21 Nov 2022 14:06:23 -0600
Subject: graphql: T4574: add specific error message if token has expired

Catch expiration error and return error-specific message instead of
general 'not authenticated'.
---
 src/services/api/graphql/graphql/mutations.py | 6 ++++++
 src/services/api/graphql/graphql/queries.py   | 6 ++++++
 src/services/api/graphql/libs/token_auth.py   | 3 +++
 3 files changed, 15 insertions(+)

(limited to 'src/services')

diff --git a/src/services/api/graphql/graphql/mutations.py b/src/services/api/graphql/graphql/mutations.py
index 31cb1afc4..87ea59c43 100644
--- a/src/services/api/graphql/graphql/mutations.py
+++ b/src/services/api/graphql/graphql/mutations.py
@@ -73,6 +73,12 @@ def make_mutation_resolver(mutation_name, class_name, session_func):
                 info = kwargs['info']
                 user = info.context.get('user')
                 if user is None:
+                    error = info.context.get('error')
+                    if error is not None:
+                        return {
+                            "success": False,
+                            "errors": [error]
+                        }
                     return {
                         "success": False,
                         "errors": ['not authenticated']
diff --git a/src/services/api/graphql/graphql/queries.py b/src/services/api/graphql/graphql/queries.py
index 3a88e3c80..1ad586428 100644
--- a/src/services/api/graphql/graphql/queries.py
+++ b/src/services/api/graphql/graphql/queries.py
@@ -73,6 +73,12 @@ def make_query_resolver(query_name, class_name, session_func):
                 info = kwargs['info']
                 user = info.context.get('user')
                 if user is None:
+                    error = info.context.get('error')
+                    if error is not None:
+                        return {
+                            "success": False,
+                            "errors": [error]
+                        }
                     return {
                         "success": False,
                         "errors": ['not authenticated']
diff --git a/src/services/api/graphql/libs/token_auth.py b/src/services/api/graphql/libs/token_auth.py
index 3ecd8b855..2100eba7f 100644
--- a/src/services/api/graphql/libs/token_auth.py
+++ b/src/services/api/graphql/libs/token_auth.py
@@ -54,6 +54,9 @@ def get_user_context(request):
             user_id: str = payload.get('sub')
             if user_id is None:
                 return context
+        except jwt.exceptions.ExpiredSignatureError:
+            context['error'] = 'expired token'
+            return context
         except jwt.PyJWTError:
             return context
         try:
-- 
cgit v1.2.3