Auth0 Home Blog Docs

UnauthorizedError not returning error

I have a rule:

function (user, context, callback) {
  var _ = require('lodash');
  var groupsFromIdP = user.groups || [];
  console.log(context);

  var groups = ['GeneralUser'];
  groups = _.union(groups, groupsFromIdP); 

  var userEmail = user.email.toString();
  var sepIndex = userEmail.indexOf('@');
  sepIndex = sepIndex + 1;

  if (sepIndex >= 0) {
    var userDomain = userEmail.substring(sepIndex);
    
    var genericDomains = ['asx.com.au', 'accenture.com', 'bnpparibas.com', 'broadridge.com', 'bursamalaysia.com', 'calastone.com', 'citi.com', 'db.com', 'dtcc.com', 'deutsche-boerse.com', 'euroclear.com', 'fanniemae.com', 'gft.com', google.com', 'gs.com', 'hkex.com.hk', 'humana.com', 'theice.com', 'jpmorgan.com', 'lseg.com', 'pnc.com', 'sgx.com', statestreet.com', 'strate.co.za', 'td.com'];
    
    if (genericDomains.indexOf(userDomain) >=0 )
      groups = _.union(['GenericCustomer'], groups); 

    groups = _.union(['SDKUser'], groups); 
    groups = _.union(['validated_people'], groups); 


  }
  
  context.idToken['<removed - link>'] = groups;

  var CLIENT_SECRET = 'lLXmX5CYiryn5ZG0IZe739-ZjVscNoFzkPAV2QwcvdPM-_sllVRPFFvgKh-s08zf';
  var CLIENT_ID = 'nCMYFjoep8SjJn0Ot1xyc2t1cDS73jcp';

  //Copies user profile attributes needed in the API (equivalent to `scope`)
  var api_user = {
    user_id: user.email,
    email: user.email,
    name: user.name
  };

  var options = {
    subject: user.email,
    expiresInMinutes: 600, //Should be greater than the SAML token expiration
    audience: CLIENT_ID,
    issuer: '<removed - link>'
  };

  context.idToken['<removed - link>'] = jwt.sign(api_user, 
      new Buffer(CLIENT_SECRET, 'base64'),
      options);

  //console.log(context);

  // if available, use upn as NameID
  if (context.clientName === "DA-Zendesk") {
      if (user.email) {
           context.samlConfiguration.mappings = {
             "<removed - link>'r": "email"
             };
      }
  }

  if (context.connection !== 'digitalasset-com' && groups.indexOf('validated_people') < 0) {
    return callback(new UnauthorizedError("Your account is pending approval."));
  }
  
  if (context.connection !== 'digitalasset-com' && context.clientName === 'SDK-bintray' && (groups.indexOf('CustomerDBG')  0 || groups.indexOf('CustomerBBK') > 0)) {
    return callback(new UnauthorizedError("You are not authorised to access this service."));
  }
  
  if(userEmail.indexOf('+') >= 0) {
    console.log('email has + - unauthorized: ' + userEmail);
    return callback(new UnauthorizedError("Email addresses containing \'+\' are not valid"));
  }
     
  if(!user.email_verified) {
    context.redirect = {
        url: "https://docs.digitalasset.com/50x.html?error=unvalidated%20email&rror_description=Please%20validate%20your%20email%20address"
    };
    // return callback(new UnauthorizedError("Please check your email to validate your account."));
  }
    
  return callback(null, user, context);
}

The relevant part is the test for a ‘+’ sign in an email. The test is correct, and a Real-Time Webtask log shows that the console log does appear i.e. the test is correct. But - the rule does NOT cause an UnauthorizedError, and allows the authentication to proceed. Why would that occur?

What if you create another rule that just simply returns an UnauthorizedError? Like this:

function (user, context, callback) {
  return callback(new UnauthorizedError("Email addresses containing \'+\' are not valid"));
}

What flow are you trying to use (i.e. regular interactive login, sign up, resource owner password credentials,…)?

As a general good practice, I’d recommend splitting different logic into different rules. E.g.

  • “Redirect if email is not verified”
  • “Check for valid email addresses”
  • “Check authorization for SDK-bintray”
  • and so on

I changed the test to perform a redirect - which is actually more of what is wanted - and it now works. Will also take your point about splitting up the rules. Thanks

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.