[server] report internal errors to check permissions (#18964)

intead of reporting them as permission denied
gitpod-io · Oct 23, 2023 · b1a30dd · b1a30dd
1 parent 8ac11b1
commit b1a30dd
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/components/server/src/authorization/spicedb-authorizer.ts b/components/server/src/authorization/spicedb-authorizer.ts
@@ -16,6 +16,7 @@ import { base64decode } from "@jmondi/oauth2-server";
 import { DecodedZedToken } from "@gitpod/spicedb-impl/lib/impl/v1/impl.pb";
 import { RequestContext } from "node-fetch";
 import { getRequestContext } from "../util/request-context";
+import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 
 async function tryThree<T>(errMessage: string, code: (attempt: number) => Promise<T>): Promise<T> {
     let attempt = 0;
@@ -110,7 +111,10 @@ export class SpiceDBAuthorizer {
                 log.error("[spicedb] Failed to perform authorization check.", err, {
                     request: new TrustedValue(req),
                 });
-                return { permitted: !featureEnabled };
+                if (!featureEnabled) {
+                    return { permitted: true };
+                }
+                throw new ApplicationError(ErrorCodes.INTERNAL_SERVER_ERROR, "Failed to perform authorization check.");
             } finally {
                 observeSpicedbClientLatency("check", error, timer());
             }