Merge pull request #7290 from taskcluster/fix/auth-pagination

feat(auth): Fix error handling in continuation token
taskcluster · Sep 30, 2024 · 1f50152 · 1f50152
2 parents b272822 + 45f6e77
commit 1f50152
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/changelog/a2Z3cBueQ22fD0s4BGC7bQ.md b/changelog/a2Z3cBueQ22fD0s4BGC7bQ.md
@@ -0,0 +1,4 @@
+audience: users
+level: patch
+---
+Fixes continuation token error handling
diff --git a/services/auth/src/api.js b/services/auth/src/api.js
@@ -56,7 +56,12 @@ const rolesResponseBuilder = async (that, req, res) => {
 
  // Assign the continuationToken
  if (req.query.continuationToken) {
- continuationToken = hashids.decode(req.query.continuationToken);
+ try {
+ continuationToken = hashids.decode(req.query.continuationToken);
+ } catch (err) {
+ // hashids.decode will throw an error if token contains invalid characters
+ return res.reportError('InputError', 'Invalid continuationToken', {});
+ }
  // If continuationToken is invalid
  if (continuationToken.length === 0) {
  return res.reportError('InputError', 'Invalid continuationToken', {});

diff --git a/services/auth/test/role_test.js b/services/auth/test/role_test.js
@@ -299,6 +299,12 @@ helper.secrets.mockSuite(testing.suiteName(), ['gcp'], function(mock, skipping)
  await helper.apiClient.listRoleIds(query)
  .then(() => assert(false, 'Expected error'),
  err => assert(err.statusCode === 400, 'Expected 400'));
+
+ // testing unexpected characters that make hashids.decode throw error
+ query.continuationToken = '@@something##';
+ await helper.apiClient.listRoleIds(query)
+ .then(() => assert(false, 'Expected error'),
+ err => assert(err.statusCode === 400, 'Expected 400'));
  });
 
  test('listRoles2', async () => {