How to differentiate between not authorised and token expired

[izaacdb]

I've been reading the docs here again: https://typegraphql.com/docs/authorization.html and can see there is a way to do this with apollo-server-express. I'd rather not rewrite everything to use that unless it's completely necessary.

I've implemented everything up to getting the refresh token working. To do this, I think I have to be able to return the TokenExpiredError which is available in the ApolloServer context:

context: ({req}) => {
	const token = req.headers.authorization?.split(' ')[1] || ''
	try {
		const user = jwt.verify(token, process.env.JWT_KEY as string) as JwtUser
		const ctx: AuthContext = {
			user,
		}
		return ctx
	} catch (e) {
		Log.error(e)
		// TokenExpiredError: jwt expired
	}
	return undefined
},

Using this error the frontend apollo client can then know it has to do a token refresh.

Problem is that any auth error is always returned as Access denied, so I can't differentiate an expiry and an invalid auth level problem on the frontend.

Is there a way to get this error to the frontend without using apollo-server-express?

[MichalLytek]

Auth checker is only comparing decoded token (user data) against required roles (from decorator).

In context you need to ask or search apollo server docs about throwing custom error. It's not related to TypeGraphQL.

[izaacdb]

I got around this by moving the logic from context to the auth checker. I think because the JWT verify throws an error when expired you have to validate in the auth checker rather than in the context. Otherwise it doesn't stop execution and continues to the generic 'access denied' error.

I think it could be useful to have a comment about it in this example, as that's why I've gotten stuck on the errors for a bit.
https://github.com/MichalLytek/type-graphql/blob/master/examples/authorization/index.ts

The try catch isn't completely necessary but lets you add the date to the error message. Without it you'll get jwt expired.

context: ({req}) => {
	const token = req.headers.authorization?.split(' ')[1] || ''
	return {token}
},

...

export const authChecker: AuthChecker<AuthContext, RoleEnum> = ({context: {token}}, roles) => {
let user = null
try {
	user = jwt.verify(token, process.env.JWT_KEY as string) as JwtUser
} catch (e) {
	const {exp} = jwt.decode(token) as JwtUser
	throw new TokenExpiredError(`Login has expired. ${new Date(exp * 1000).toISOString()}`, new Date(exp * 1000))
}