refactor(core): kratos error handling (#4605)

GaloyMoney · Oct 4, 2024 · 5f25b73 · 5f25b73
1 parent 35fc43b
commit 5f25b73
Show file tree

Hide file tree

Showing 19 changed files with 187 additions and 176 deletions.
diff --git a/core/api/src/app/authentication/login.ts b/core/api/src/app/authentication/login.ts
@@ -25,7 +25,6 @@ import {
   AuthWithPhonePasswordlessService,
   AuthWithUsernamePasswordDeviceIdService,
   IdentityRepository,
-  PhoneAccountAlreadyExistsNeedToSweepFundsError,
 } from "@/services/kratos"
 
 import { LedgerService } from "@/services/ledger"
@@ -44,9 +43,9 @@ import { IPMetadataAuthorizer } from "@/domain/accounts-ips/ip-metadata-authoriz
 import { getAccountsOnboardConfig, getDefaultAccountsConfig } from "@/config"
 
 import {
-  UnauthorizedIPForOnboardingError,
-  MissingIPMetadataError,
   InvalidIpMetadataError,
+  MissingIPMetadataError,
+  UnauthorizedIPForOnboardingError,
 } from "@/domain/errors"
 import {
   InvalidPhoneForOnboardingError,
@@ -55,10 +54,11 @@ import {
 import { IpFetcher } from "@/services/ipfetcher"
 
 import { IpFetcherServiceError } from "@/domain/ipfetcher"
-import { ErrorLevel } from "@/domain/shared"
-import { consumeLimiter } from "@/services/rate-limit"
 import { RateLimitConfig } from "@/domain/rate-limit"
 import { RateLimiterExceededError } from "@/domain/rate-limit/errors"
+import { ErrorLevel } from "@/domain/shared"
+import { consumeLimiter } from "@/services/rate-limit"
+import { PhoneAccountAlreadyExistsNeedToSweepFundsError } from "@/domain/kratos"
 
 export const loginWithPhoneToken = async ({
   phone,

diff --git a/core/api/src/app/authentication/logout.ts b/core/api/src/app/authentication/logout.ts
@@ -1,8 +1,6 @@
 import { removeDeviceTokens } from "@/app/users/remove-device-tokens"
-import {
-  AuthWithPhonePasswordlessService,
-  MissingSessionIdError,
-} from "@/services/kratos"
+import { MissingSessionIdError } from "@/domain/kratos"
+import { AuthWithPhonePasswordlessService } from "@/services/kratos"
 
 export const logoutToken = async ({
   userId,

diff --git a/core/api/src/app/errors.ts b/core/api/src/app/errors.ts
@@ -23,9 +23,9 @@ import * as UserErrors from "@/domain/users/errors"
 import * as WalletInvoiceErrors from "@/domain/wallet-invoices/errors"
 import * as SupportError from "@/domain/support/errors"
 import * as OathkeeperError from "@/domain/oathkeeper/errors"
+import * as KratosErrors from "@/domain/kratos/errors"
 
 import * as LedgerFacadeErrors from "@/services/ledger/domain/errors"
-import * as KratosErrors from "@/services/kratos/errors"
 import * as BriaEventErrors from "@/services/bria/errors"
 import * as SvixErrors from "@/services/svix/errors"
 
@@ -55,8 +55,8 @@ export const ApplicationErrors = {
   ...WalletInvoiceErrors,
   ...SupportError,
   ...OathkeeperError,
-
   ...KratosErrors,
+
   ...LedgerFacadeErrors,
   ...BriaEventErrors,
   ...SvixErrors,

diff --git a/core/api/src/domain/kratos/errors.ts b/core/api/src/domain/kratos/errors.ts
@@ -0,0 +1,45 @@
+import { AuthenticationError } from "@/domain/authentication/errors"
+import { ErrorLevel } from "@/domain/shared"
+
+export class KratosError extends AuthenticationError {}
+
+export class MissingSessionIdError extends KratosError {
+  level = ErrorLevel.Critical
+}
+
+export class AuthenticationKratosError extends KratosError {}
+export class AuthorizationKratosError extends KratosError {}
+export class ExtendSessionKratosError extends KratosError {}
+export class InvalidIdentitySessionKratosError extends KratosError {}
+
+export class SessionRefreshRequiredError extends KratosError {}
+
+export class EmailAlreadyExistsError extends KratosError {}
+
+export class PhoneAccountAlreadyExistsError extends KratosError {
+  level = ErrorLevel.Info
+}
+
+export class PhoneAccountAlreadyExistsNeedToSweepFundsError extends KratosError {
+  level = ErrorLevel.Info
+}
+
+export class MissingCreatedAtKratosError extends KratosError {
+  level = ErrorLevel.Critical
+}
+
+export class MissingExpiredAtKratosError extends KratosError {
+  level = ErrorLevel.Critical
+}
+
+export class MissingTotpKratosError extends KratosError {
+  level = ErrorLevel.Critical
+}
+
+export class IncompatibleSchemaUpgradeError extends KratosError {}
+
+export class CodeExpiredKratosError extends KratosError {}
+
+export class UnknownKratosError extends KratosError {
+  level = ErrorLevel.Critical
+}
diff --git a/core/api/src/domain/kratos/index.ts b/core/api/src/domain/kratos/index.ts
@@ -0,0 +1 @@
+export * from "./errors"
diff --git a/core/api/src/domain/kratos/index.types.d.ts b/core/api/src/domain/kratos/index.types.d.ts
@@ -0,0 +1 @@
+type KratosError = import("./errors").KratosError
diff --git a/core/api/src/graphql/error-map.ts b/core/api/src/graphql/error-map.ts
@@ -740,6 +740,7 @@ export const mapError = (error: ApplicationError): CustomGraphQLError => {
     case "BriaPayloadError":
     case "KratosError":
     case "AuthenticationKratosError":
+    case "AuthorizationKratosError":
     case "ExtendSessionKratosError":
     case "MultipleCurrenciesForSingleCurrencyOperationError":
     case "MattermostError":

diff --git a/core/api/src/services/kratos/auth-email-no-password.ts b/core/api/src/services/kratos/auth-email-no-password.ts
@@ -2,29 +2,30 @@ import { isAxiosError } from "axios"
 
 import { UpdateIdentityBody } from "@ory/client"
 
-import {
-  CodeExpiredKratosError,
-  EmailAlreadyExistsError,
-  IncompatibleSchemaUpgradeError,
-  InvalidIdentitySessionKratosError,
-  KratosError,
-  UnknownKratosError,
-} from "./errors"
 import { kratosAdmin, kratosPublic, toDomainIdentityEmailPhone } from "./private"
 import { SchemaIdType } from "./schema"
 
 import { IdentityRepository } from "./identity"
 
-import { checkedToEmailAddress } from "@/domain/users"
-import { wrapAsyncFunctionsToRunInSpan } from "@/services/tracing"
+import { handleKratosErrors } from "./errors"
+
+import { KRATOS_MASTER_USER_PASSWORD } from "@/config"
 import {
   EmailCodeExpiredError,
   EmailCodeInvalidError,
   EmailUnverifiedError,
   EmailValidationSubmittedTooOftenError,
   LikelyUserAlreadyExistError,
 } from "@/domain/authentication/errors"
-import { KRATOS_MASTER_USER_PASSWORD } from "@/config"
+import {
+  CodeExpiredKratosError,
+  EmailAlreadyExistsError,
+  IncompatibleSchemaUpgradeError,
+  InvalidIdentitySessionKratosError,
+  UnknownKratosError,
+} from "@/domain/kratos"
+import { checkedToEmailAddress } from "@/domain/users"
+import { wrapAsyncFunctionsToRunInSpan } from "@/services/tracing"
 
 // login with email
 
@@ -47,7 +48,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
 
       return data.id as EmailFlowId
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -158,7 +159,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
             email = identity.data.recovery_addresses?.[0].value as EmailAddress
             totpRequired = true
           } else {
-            return new UnknownKratosError(err)
+            return handleKratosErrors(err)
           }
         }
 
@@ -168,7 +169,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
       if (isAxiosError(err) && err.response?.status === 403) {
         return new CodeExpiredKratosError()
       }
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -183,7 +184,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
       // we are assuming that email are unique, therefore only one entry can be returned
       return identity.data[0]?.verifiable_addresses?.[0].verified ?? false
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -211,7 +212,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
 
       return { authToken, kratosUserId }
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -233,7 +234,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
       ;({ data: identity } = await kratosAdmin.getIdentity({ id: kratosUserId }))
     } catch (err) {
       if (!isAxiosError(err)) {
-        return new UnknownKratosError(err)
+        return handleKratosErrors(err)
       }
 
       if (err.message === "Request failed with status code 400") {
@@ -279,7 +280,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
         }
       }
 
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -289,7 +290,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
     try {
       ;({ data: identity } = await kratosAdmin.getIdentity({ id: kratosUserId }))
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
 
     if (identity.schema_id !== SchemaIdType.PhoneEmailNoPasswordV0) {
@@ -319,7 +320,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
 
       return email
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -329,7 +330,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
     try {
       ;({ data: identity } = await kratosAdmin.getIdentity({ id: kratosUserId }))
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
 
     if (identity.schema_id !== "phone_email_no_password_v0") {
@@ -363,7 +364,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
 
       return phone
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -379,7 +380,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
     try {
       ;({ data: identity } = await kratosAdmin.getIdentity({ id: userId }))
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
 
     if (identity.schema_id !== SchemaIdType.EmailNoPasswordV0) {
@@ -408,7 +409,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
 
       return toDomainIdentityEmailPhone(newIdentity)
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -418,7 +419,7 @@ export const AuthWithEmailPasswordlessService = (): IAuthWithEmailPasswordlessSe
     try {
       ;({ data: identity } = await kratosAdmin.getIdentity({ id: kratosUserId }))
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
 
     return !!identity.traits.email

diff --git a/core/api/src/services/kratos/auth-phone-no-password.ts b/core/api/src/services/kratos/auth-phone-no-password.ts
@@ -1,23 +1,24 @@
 import { CreateIdentityBody, UpdateIdentityBody } from "@ory/client"
 
-import {
-  AuthenticationKratosError,
-  IncompatibleSchemaUpgradeError,
-  KratosError,
-  UnknownKratosError,
-} from "./errors"
-
 import { kratosAdmin, kratosPublic, toDomainIdentityPhone } from "./private"
 
 import { SchemaIdType } from "./schema"
 
+import { handleKratosErrors } from "./errors"
+
 import { KRATOS_MASTER_USER_PASSWORD } from "@/config"
 
 import {
   LikelyNoUserWithThisPhoneExistError,
   LikelyUserAlreadyExistError,
 } from "@/domain/authentication/errors"
 
+import {
+  AuthenticationKratosError,
+  IncompatibleSchemaUpgradeError,
+  KratosError,
+  UnknownKratosError,
+} from "@/domain/kratos"
 import { wrapAsyncFunctionsToRunInSpan } from "@/services/tracing"
 
 // login with phone
@@ -58,7 +59,7 @@ export const AuthWithPhonePasswordlessService = (): IAuthWithPhonePasswordlessSe
         return new AuthenticationKratosError(err.message || err)
       }
 
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -70,7 +71,7 @@ export const AuthWithPhonePasswordlessService = (): IAuthWithPhonePasswordlessSe
     try {
       await kratosAdmin.disableSession({ id: sessionId })
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -103,7 +104,7 @@ export const AuthWithPhonePasswordlessService = (): IAuthWithPhonePasswordlessSe
         return new LikelyUserAlreadyExistError(err.message || err)
       }
 
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -119,7 +120,7 @@ export const AuthWithPhonePasswordlessService = (): IAuthWithPhonePasswordlessSe
     try {
       ;({ data: identity } = await kratosAdmin.getIdentity({ id: userId }))
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
 
     if (identity.schema_id !== "username_password_deviceid_v0") {
@@ -146,7 +147,7 @@ export const AuthWithPhonePasswordlessService = (): IAuthWithPhonePasswordlessSe
 
       return toDomainIdentityPhone(newIdentity)
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -172,7 +173,7 @@ export const AuthWithPhonePasswordlessService = (): IAuthWithPhonePasswordlessSe
       if (err instanceof Error && err.message === "Request failed with status code 400") {
         return new LikelyUserAlreadyExistError(err.message || err)
       }
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }
 
@@ -188,7 +189,7 @@ export const AuthWithPhonePasswordlessService = (): IAuthWithPhonePasswordlessSe
     try {
       ;({ data: identity } = await kratosAdmin.getIdentity({ id: kratosUserId }))
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
 
     if (identity.state === undefined) {
@@ -210,7 +211,7 @@ export const AuthWithPhonePasswordlessService = (): IAuthWithPhonePasswordlessSe
       })
       return toDomainIdentityPhone(newIdentity)
     } catch (err) {
-      return new UnknownKratosError(err)
+      return handleKratosErrors(err)
     }
   }