Catch auth middleware errors (#287)

adam-maj · web-flow · commit f6a58d05b55f · 2023-11-02T12:55:34.000-07:00
diff --git a/src/server/middleware/auth.ts b/src/server/middleware/auth.ts
@@ -182,69 +182,73 @@ export const withAuth = async (server: FastifyInstance) => {
       return;
     }
 
-    // If we have a valid secret key, skip authentication check
-    const thirdwebApiSecretKey = req.headers.authorization?.split(" ")[1];
-    if (thirdwebApiSecretKey === env.THIRDWEB_API_SECRET_KEY) {
-      // If the secret key is being used, treat the user as the auth wallet
-      const config = await getConfiguration();
-      const wallet = new LocalWallet();
-      await wallet.import({
-        encryptedJson: config.authWalletEncryptedJson,
-        password: env.THIRDWEB_API_SECRET_KEY,
-      });
+    try {
+      // If we have a valid secret key, skip authentication check
+      const thirdwebApiSecretKey = req.headers.authorization?.split(" ")[1];
+      if (thirdwebApiSecretKey === env.THIRDWEB_API_SECRET_KEY) {
+        // If the secret key is being used, treat the user as the auth wallet
+        const config = await getConfiguration();
+        const wallet = new LocalWallet();
+        await wallet.import({
+          encryptedJson: config.authWalletEncryptedJson,
+          password: env.THIRDWEB_API_SECRET_KEY,
+        });
 
-      req.user = {
-        address: await wallet.getAddress(),
-        session: {
-          permissions: Permission.Admin,
-        },
-      };
-      return;
-    }
+        req.user = {
+          address: await wallet.getAddress(),
+          session: {
+            permissions: Permission.Admin,
+          },
+        };
+        return;
+      }
 
-    // Otherwise, check for an authenticated user
-    const jwt = getJWT(req);
-    if (jwt) {
-      // 1. Check if the token is a valid engine JWT
-      const token = await getToken({ jwt });
+      // Otherwise, check for an authenticated user
+      const jwt = getJWT(req);
+      if (jwt) {
+        // 1. Check if the token is a valid engine JWT
+        const token = await getToken({ jwt });
 
-      // First, we ensure that the token hasn't been revoked
-      if (token?.revokedAt === null) {
-        // Then we perform our standard auth checks for the user
-        const user = await getUser(req);
+        // First, we ensure that the token hasn't been revoked
+        if (token?.revokedAt === null) {
+          // Then we perform our standard auth checks for the user
+          const user = await getUser(req);
 
-        // Ensure that the token user is an admin or owner
-        if (
-          (user && user?.session?.permissions === Permission.Owner) ||
-          user?.session?.permissions === Permission.Admin
-        ) {
-          req.user = user;
-          return;
+          // Ensure that the token user is an admin or owner
+          if (
+            (user && user?.session?.permissions === Permission.Owner) ||
+            user?.session?.permissions === Permission.Admin
+          ) {
+            req.user = user;
+            return;
+          }
         }
-      }
 
-      // 2. Otherwise, check if the token is a valid api-server JWT
-      const user =
-        (await authWithApiServer(jwt, "thirdweb.com")) ||
-        (await authWithApiServer(jwt, "thirdweb-preview.com"));
+        // 2. Otherwise, check if the token is a valid api-server JWT
+        const user =
+          (await authWithApiServer(jwt, "thirdweb.com")) ||
+          (await authWithApiServer(jwt, "thirdweb-preview.com"));
 
-      // If we have an api-server user, return it with the proper permissions
-      if (user) {
-        const res = await getPermissions({ walletAddress: user.address });
+        // If we have an api-server user, return it with the proper permissions
+        if (user) {
+          const res = await getPermissions({ walletAddress: user.address });
 
-        if (
-          res?.permissions === Permission.Owner ||
-          res?.permissions === Permission.Admin
-        ) {
-          req.user = {
-            address: user.address,
-            session: {
-              permissions: res.permissions,
-            },
-          };
-          return;
+          if (
+            res?.permissions === Permission.Owner ||
+            res?.permissions === Permission.Admin
+          ) {
+            req.user = {
+              address: user.address,
+              session: {
+                permissions: res.permissions,
+              },
+            };
+            return;
+          }
         }
       }
+    } catch {
+      // no-op
     }
 
     // If we have no secret key or authenticated user, return 401
