feat: use pkg hookserrors in hookshttp & hookspgfunc

This allows consistent error handling across both the hookshttp
and hookspgfunc packages without the need to embed AuthHookError
in every single output struct.

In addition this required moving `validateTokenClaims` to the
API package. This removes the need for a single special case
in the dispatching of hooks in pkg `internal/hooks/v0hooks`.

Author: Chris Stockton

internal/api/hooks_test.go

@@ -1,7 +1,6 @@
 package api
 
 import (
-	"encoding/json"
 	"net/http"
 	"testing"
 
@@ -12,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 	"github.com/supabase/auth/internal/conf"
+	"github.com/supabase/auth/internal/hooks/hookserrors"
 	"github.com/supabase/auth/internal/hooks/v0hooks"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/storage"
@@ -70,20 +70,20 @@ func (ts *HooksTestSuite) TestRunHTTPHook() {
 	testURL := "http://localhost:54321/functions/v1/custom-sms-sender"
 	ts.Config.Hook.SendSMS.URI = testURL
 
-	unsuccessfulResponse := v0hooks.AuthHookError{
+	unsuccessfulResponse := hookserrors.Error{
 		HTTPCode: http.StatusUnprocessableEntity,
 		Message:  "test error",
 	}
 
 	testCases := []struct {
 		description  string
 		expectError  bool
-		mockResponse v0hooks.AuthHookError
+		mockResponse hookserrors.Error
 	}{
 		{
 			description:  "Hook returns success",
 			expectError:  false,
-			mockResponse: v0hooks.AuthHookError{},
+			mockResponse: hookserrors.Error{},
 		},
 		{
 			description:  "Hook returns error",
@@ -102,23 +102,22 @@ func (ts *HooksTestSuite) TestRunHTTPHook() {
 		Post("/").
 		MatchType("json").
 		Reply(http.StatusUnprocessableEntity).
-		JSON(v0hooks.SendSMSOutput{HookError: unsuccessfulResponse})
+		JSON(struct {
+			Error *hookserrors.Error `json:"error,omitempty"`
+		}{Error: &unsuccessfulResponse})
 
 	for _, tc := range testCases {
 		ts.Run(tc.description, func() {
 			req, _ := http.NewRequest("POST", ts.Config.Hook.SendSMS.URI, nil)
-			body, err := ts.API.hooksMgr.RunHTTPHook(req, ts.Config.Hook.SendSMS, &input)
+
+			var output v0hooks.SendSMSOutput
+			err := ts.API.hooksMgr.InvokeHook(ts.API.db, req, &input, &output)
 
 			if !tc.expectError {
 				require.NoError(ts.T(), err)
 			} else {
 				require.Error(ts.T(), err)
-				if body != nil {
-					var output v0hooks.SendSMSOutput
-					require.NoError(ts.T(), json.Unmarshal(body, &output))
-					require.Equal(ts.T(), unsuccessfulResponse.HTTPCode, output.HookError.HTTPCode)
-					require.Equal(ts.T(), unsuccessfulResponse.Message, output.HookError.Message)
-				}
+				require.Equal(ts.T(), output, v0hooks.SendSMSOutput{})
 			}
 		})
 	}
@@ -154,12 +153,9 @@ func (ts *HooksTestSuite) TestShouldRetryWithRetryAfterHeader() {
 	req, err := http.NewRequest("POST", "http://localhost:9998/otp", nil)
 	require.NoError(ts.T(), err)
 
-	body, err := ts.API.hooksMgr.RunHTTPHook(req, ts.Config.Hook.SendSMS, &input)
-	require.NoError(ts.T(), err)
-
 	var output v0hooks.SendSMSOutput
-	err = json.Unmarshal(body, &output)
-	require.NoError(ts.T(), err, "Unmarshal should not fail")
+	err = ts.API.hooksMgr.InvokeHook(ts.API.db, req, &input, &output)
+	require.NoError(ts.T(), err)
 
 	// Ensure that all expected HTTP interactions (mocks) have been called
 	require.True(ts.T(), gock.IsDone(), "Expected all mocks to have been called including retry")
@@ -186,10 +182,10 @@ func (ts *HooksTestSuite) TestShouldReturnErrorForNonJSONContentType() {
 	req, err := http.NewRequest("POST", "http://localhost:9999/otp", nil)
 	require.NoError(ts.T(), err)
 
-	_, err = ts.API.hooksMgr.RunHTTPHook(req, ts.Config.Hook.SendSMS, &input)
+	var output v0hooks.SendSMSOutput
+	err = ts.API.hooksMgr.InvokeHook(ts.API.db, req, &input, &output)
 	require.Error(ts.T(), err, "Expected an error due to wrong content type")
 	require.Contains(ts.T(), err.Error(), "Invalid JSON response.")
-
 	require.True(ts.T(), gock.IsDone(), "Expected all mocks to have been called")
 }
 

internal/api/token.go

@@ -2,13 +2,15 @@ package api
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"net/url"
 	"strconv"
 	"time"
 
 	"github.com/gofrs/uuid"
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/xeipuuv/gojsonschema"
 
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/hooks/v0hooks"
@@ -369,14 +371,16 @@ func (a *API) generateAccessToken(r *http.Request, tx *storage.Connection, user
 		if err != nil {
 			return "", 0, err
 		}
+		if err := validateTokenClaims(output.Claims); err != nil {
+			return "", 0, err
+		}
 		gotrueClaims = jwt.MapClaims(output.Claims)
 	}
 
 	signed, err := signJwt(&config.JWT, gotrueClaims)
 	if err != nil {
 		return "", 0, err
 	}
-
 	return signed, expiresAt.Unix(), nil
 }
 
@@ -491,3 +495,86 @@ func (a *API) updateMFASessionAndClaims(r *http.Request, tx *storage.Connection,
 		User:         user,
 	}, nil
 }
+
+var schemaLoader = gojsonschema.NewStringLoader(MinimumViableTokenSchema)
+
+func validateTokenClaims(outputClaims map[string]interface{}) error {
+	documentLoader := gojsonschema.NewGoLoader(outputClaims)
+	result, err := gojsonschema.Validate(schemaLoader, documentLoader)
+	if err != nil {
+		return err
+	}
+
+	if !result.Valid() {
+		var errorMessages string
+
+		for _, desc := range result.Errors() {
+			errorMessages += fmt.Sprintf("- %s\n", desc)
+			fmt.Printf("- %s\n", desc)
+		}
+		return fmt.Errorf(
+			"output claims do not conform to the expected schema: \n%s", errorMessages)
+
+	}
+
+	return nil
+}
+
+// #nosec
+const MinimumViableTokenSchema = `{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "properties": {
+    "aud": {
+      "type": ["string", "array"]
+    },
+    "exp": {
+      "type": "integer"
+    },
+    "jti": {
+      "type": "string"
+    },
+    "iat": {
+      "type": "integer"
+    },
+    "iss": {
+      "type": "string"
+    },
+    "nbf": {
+      "type": "integer"
+    },
+    "sub": {
+      "type": "string"
+    },
+    "email": {
+      "type": "string"
+    },
+    "phone": {
+      "type": "string"
+    },
+    "app_metadata": {
+      "type": "object",
+      "additionalProperties": true
+    },
+    "user_metadata": {
+      "type": "object",
+      "additionalProperties": true
+    },
+    "role": {
+      "type": "string"
+    },
+    "aal": {
+      "type": "string"
+    },
+    "amr": {
+      "type": "array",
+      "items": {
+        "type": "object"
+      }
+    },
+    "session_id": {
+      "type": "string"
+    }
+  },
+  "required": ["aud", "exp", "iat", "sub", "email", "phone", "role", "aal", "session_id", "is_anonymous"]
+}`

internal/hooks/hookshttp/hookshttp.go

@@ -82,11 +82,11 @@ func New(opts ...Option) *Dispatcher {
 
 func (o *Dispatcher) Dispatch(
 	ctx context.Context,
-	cfg conf.ExtensibilityPointConfiguration,
+	cfg *conf.ExtensibilityPointConfiguration,
 	req any,
 	res any,
 ) error {
-	data, err := o.RunHTTPHook(ctx, cfg, req)
+	data, err := o.runHTTPHook(ctx, cfg, req)
 	if err != nil {
 		return err
 	}
@@ -99,9 +99,9 @@ func (o *Dispatcher) Dispatch(
 	return nil
 }
 
-func (o *Dispatcher) RunHTTPHook(
+func (o *Dispatcher) runHTTPHook(
 	ctx context.Context,
-	hookConfig conf.ExtensibilityPointConfiguration,
+	hookConfig *conf.ExtensibilityPointConfiguration,
 	input any,
 ) ([]byte, error) {
 	client := http.Client{

internal/hooks/hookshttp/hookshttp_test.go

@@ -267,7 +267,7 @@ func TestDispatch(t *testing.T) {
 		}
 
 		res := M{}
-		err := dr.Dispatch(testCtx, cfg, tc.req, &res)
+		err := dr.Dispatch(testCtx, &cfg, tc.req, &res)
 		if tc.err != nil {
 			require.Error(t, err)
 			require.Equal(t, tc.err, err)

internal/hooks/hookspgfunc/hookspgfunc.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/conf"
+	"github.com/supabase/auth/internal/hooks/hookserrors"
 	"github.com/supabase/auth/internal/storage"
 )
 
@@ -47,12 +48,11 @@ func New(db *storage.Connection, opts ...Option) *Dispatcher {
 
 func (o *Dispatcher) Dispatch(
 	ctx context.Context,
-	cfg conf.ExtensibilityPointConfiguration,
+	cfg *conf.ExtensibilityPointConfiguration,
 	tx *storage.Connection,
-	req any,
-	res any,
+	req, res any,
 ) error {
-	data, err := o.RunPostgresHook(ctx, cfg, tx, req)
+	data, err := o.runPostgresHook(ctx, *cfg, tx, req)
 	if err != nil {
 		return err
 	}
@@ -65,7 +65,7 @@ func (o *Dispatcher) Dispatch(
 	return nil
 }
 
-func (o *Dispatcher) RunPostgresHook(
+func (o *Dispatcher) runPostgresHook(
 	ctx context.Context,
 	hookConfig conf.ExtensibilityPointConfiguration,
 	tx *storage.Connection,
@@ -108,5 +108,8 @@ func (o *Dispatcher) RunPostgresHook(
 			return nil, err
 		}
 	}
+	if err := hookserrors.Check(response); err != nil {
+		return nil, err
+	}
 	return response, nil
 }

internal/hooks/hookspgfunc/hookspgfunc_test.go

@@ -182,6 +182,38 @@ func TestDispatch(t *testing.T) {
 				end; $$ language plpgsql;`,
 			errStr: "500: Error unmarshaling JSON output.",
 		},
+
+		{
+			desc: "fail - returned error",
+			cfg: conf.ExtensibilityPointConfiguration{
+				URI:      `pg-functions://postgres/auth/v0pgfunc_test_return_input`,
+				HookName: `"auth"."v0pgfunc_test_return_input"`,
+			},
+			req: M{"error": M{"message": "failed"}},
+			sql: `
+				create or replace function v0pgfunc_test_return_input(input jsonb)
+				returns json as $$
+				begin
+					return input;
+				end; $$ language plpgsql;`,
+			errStr: "500: failed",
+		},
+
+		{
+			desc: "fail - returned error with status",
+			cfg: conf.ExtensibilityPointConfiguration{
+				URI:      `pg-functions://postgres/auth/v0pgfunc_test_return_input`,
+				HookName: `"auth"."v0pgfunc_test_return_input"`,
+			},
+			req: M{"error": M{"message": "failed", "http_code": 403}},
+			sql: `
+				create or replace function v0pgfunc_test_return_input(input jsonb)
+				returns json as $$
+				begin
+					return input;
+				end; $$ language plpgsql;`,
+			errStr: "403: failed",
+		},
 	}
 
 	for idx, tc := range cases {
@@ -210,7 +242,7 @@ func TestDispatch(t *testing.T) {
 		tx := tc.tx
 		cfg := tc.cfg
 		res := M{}
-		err := dr.Dispatch(testCtx, cfg, tx, tc.req, &res)
+		err := dr.Dispatch(testCtx, &cfg, tx, tc.req, &res)
 		if tc.err != nil {
 			require.Error(t, err)
 			require.Equal(t, tc.err, err)