Added error handling for expired JWT in UserMeetingSettingsService.

alvimmh · alvimmh · commit fb51ff613ed8 · 2021-10-25T22:55:23.000-05:00
Specifically, the method 'handleConnectCalendarCallback' was updated and the JWT verification secret value has been moved to an environment variable.
diff --git a/README.md b/README.md
@@ -43,6 +43,8 @@
       # Get nylas client id and secret from nylas developer page
       NYLAS_CLIENT_ID=
       NYLAS_CLIENT_SECRET=
+      # Configure a secret value to be used in UserMeetingSettingsService in the method 'handleConnectCalendarCallback'
+      NYLAS_CONNECT_CALENDAR_JWT_SECRET=
       # Locally deployed services (via docker-compose)
       ES_HOST=http://dockerhost:9200
       DATABASE_URL=postgres://postgres:postgres@dockerhost:5432/postgres
diff --git a/config/default.js b/config/default.js
@@ -330,6 +330,7 @@ module.exports = {
   // Nylas Client id
   NYLAS_CLIENT_ID: process.env.NYLAS_CLIENT_ID,
   NYLAS_CLIENT_SECRET: process.env.NYLAS_CLIENT_SECRET,
+  NYLAS_CONNECT_CALENDAR_JWT_SECRET: process.env.NYLAS_CONNECT_CALENDAR_JWT_SECRET,
 
   // Zoom JWT credentials
   ZOOM_ACCOUNTS: process.env.ZOOM_ACCOUNTS
diff --git a/src/services/UserMeetingSettingsService.js b/src/services/UserMeetingSettingsService.js
@@ -188,7 +188,13 @@ createUserMeetingSettingsIfNotExisting.schema = Joi.object().keys({
  */
 async function handleConnectCalendarCallback (reqQuery) {
   // verifying jwt token for request query param - 'state'
-  const verifyQueryStateJwt = await jwt.verify(reqQuery.state, 'secret')
+  const verifyQueryStateJwt = await jwt.verify(reqQuery.state, config.NYLAS_CONNECT_CALENDAR_JWT_SECRET, (err, decoded) => {
+    if (err) {
+      throw new errors.UnauthorizedError('Could not verify JWT token.')
+    }
+
+    return decoded
+  })
 
   // note userId is actually the UUID in the following line. not to confuse with other 'userId'
   const { userId, redirectTo } = verifyQueryStateJwt
@@ -207,7 +213,7 @@ async function handleConnectCalendarCallback (reqQuery) {
     const { accessToken, accountId, provider } = await NylasService.getAccessToken(reqQuery.code)
     // view https://developer.nylas.com/docs/api/#post/oauth/token for error response schema
     if (!accessToken || !accountId) {
-      throw new errors.BadRequestError('Error during getting access token for the calendar.')
+      throw new errors.BadRequestError('Error getting access token for the calendar.')
     }
 
     // getting user's all existing calendars
