fix: error handling in guardian handlers for forbidden depreated feature (#1086)

* fix: enhance error handling in guardian handlers for forbidden deprecated feature

* test: add unit tests for isForbiddenFeatureError utility function

* test: add handling for forbidden errors in guardian factor and template tests

Author: kushalshit27

src/tools/auth0/handlers/guardianFactorProviders.ts

@@ -1,6 +1,7 @@
 import DefaultHandler from './default';
 import constants from '../../constants';
 import { Asset, Assets } from '../../../types';
+import { isForbiddenFeatureError } from '../../utils';
 
 const mappings = Object.entries(constants.GUARDIAN_FACTOR_PROVIDERS).reduce(
   (accum: { name: string; provider: string }[], [name, providers]) => {
@@ -35,29 +36,40 @@ export default class GuardianFactorProvidersHandler extends DefaultHandler {
     });
   }
 
-  async getType(): Promise<Asset[]> {
+  async getType(): Promise<Asset[] | null> {
     if (this.existing) return this.existing;
 
-    const data = await Promise.all(
-      mappings.map(async (m) => {
-        let provider;
-        // TODO: This is quite a change, needs to be validated for sure.
-        if (m.name === 'phone' && m.provider === 'twilio') {
-          provider = await this.client.guardian.getPhoneFactorProviderTwilio();
-        } else if (m.name === 'sms' && m.provider === 'twilio') {
-          provider = await this.client.guardian.getSmsFactorProviderTwilio();
-        } else if (m.name === 'push-notification' && m.provider === 'apns') {
-          provider = await this.client.guardian.getPushNotificationProviderAPNS();
-        } else if (m.name === 'push-notification' && m.provider === 'sns') {
-          provider = await this.client.guardian.getPushNotificationProviderSNS();
-        }
+    try {
+      const data = await Promise.all(
+        mappings.map(async (m) => {
+          let provider;
+          // TODO: This is quite a change, needs to be validated for sure.
+          if (m.name === 'phone' && m.provider === 'twilio') {
+            provider = await this.client.guardian.getPhoneFactorProviderTwilio();
+          } else if (m.name === 'sms' && m.provider === 'twilio') {
+            provider = await this.client.guardian.getSmsFactorProviderTwilio();
+          } else if (m.name === 'push-notification' && m.provider === 'apns') {
+            provider = await this.client.guardian.getPushNotificationProviderAPNS();
+          } else if (m.name === 'push-notification' && m.provider === 'sns') {
+            provider = await this.client.guardian.getPushNotificationProviderSNS();
+          }
 
-        return { ...m, ...provider.data };
-      })
-    );
+          return { ...m, ...provider.data };
+        })
+      );
+
+      // Filter out empty, should have more then 2 keys (name, provider)
+      return data.filter((d) => Object.keys(d).length > 2);
+    } catch (err) {
+      if (err.statusCode === 404 || err.statusCode === 501) {
+        return null;
+      }
+      if (isForbiddenFeatureError(err, this.type)) {
+        return null;
+      }
 
-    // Filter out empty, should have more then 2 keys (name, provider)
-    return data.filter((d) => Object.keys(d).length > 2);
+      throw err;
+    }
   }
 
   async processChanges(assets: Assets): Promise<void> {

src/tools/auth0/handlers/guardianFactorTemplates.ts

@@ -1,7 +1,8 @@
+import { TemplateMessages } from 'auth0';
 import DefaultHandler from './default';
 import constants from '../../constants';
 import { Assets, Asset } from '../../../types';
-import { TemplateMessages } from 'auth0';
+import { isForbiddenFeatureError } from '../../utils';
 
 export const schema = {
   type: 'array',
@@ -25,25 +26,33 @@ export default class GuardianFactorTemplatesHandler extends DefaultHandler {
     });
   }
 
-  async getType(): Promise<Asset[]> {
+  async getType(): Promise<Asset[] | null> {
     if (this.existing) return this.existing;
+    try {
+      const data = await Promise.all(
+        constants.GUARDIAN_FACTOR_TEMPLATES.map(async (name) => {
+          if (name === 'sms') {
+            const { data: templates } = await this.client.guardian.getSmsFactorTemplates();
+            return { name, ...templates };
+          }
 
-    const data = await Promise.all(
-      constants.GUARDIAN_FACTOR_TEMPLATES.map(async (name) => {
-        // TODO: This is quite a change, needs to be validated for sure.
-        if (name === 'sms') {
-          const { data: templates } = await this.client.guardian.getSmsFactorTemplates();
-          return { name, ...templates };
-          // TODO: GUARDIAN_FACTOR_TEMPLATES only contains 'sms'. Is that expected? We also have 'phone'.
-        } else {
           const { data: templates } = await this.client.guardian.getPhoneFactorTemplates();
           return { name, ...templates };
-        }
-      })
-    );
+        })
+      );
+
+      // Filter out empty, should have more then 1 keys (name)
+      return data.filter((d) => Object.keys(d).length > 1);
+    } catch (err) {
+      if (err.statusCode === 404 || err.statusCode === 501) {
+        return null;
+      }
+      if (isForbiddenFeatureError(err, this.type)) {
+        return null;
+      }
 
-    // Filter out empty, should have more then 1 keys (name)
-    return data.filter((d) => Object.keys(d).length > 1);
+      throw err;
+    }
   }
 
   async processChanges(assets: Assets): Promise<void> {

src/tools/auth0/handlers/guardianFactors.ts

@@ -1,7 +1,8 @@
+import { Factor, FactorNameEnum } from 'auth0';
 import DefaultHandler from './default';
 import constants from '../../constants';
 import { Asset, Assets } from '../../../types';
-import { Factor, FactorNameEnum } from 'auth0';
+import { isForbiddenFeatureError } from '../../utils';
 
 export const schema = {
   type: 'array',
@@ -25,11 +26,22 @@ export default class GuardianFactorsHandler extends DefaultHandler {
     });
   }
 
-  async getType(): Promise<Asset[]> {
+  async getType(): Promise<Asset[] | null> {
     if (this.existing) return this.existing;
-    const { data } = await this.client.guardian.getFactors();
-    this.existing = data;
-    return this.existing;
+    try {
+      const { data } = await this.client.guardian.getFactors();
+      this.existing = data;
+      return this.existing;
+    } catch (err) {
+      if (err.statusCode === 404 || err.statusCode === 501) {
+        return null;
+      }
+      if (isForbiddenFeatureError(err, this.type)) {
+        return null;
+      }
+
+      throw err;
+    }
   }
 
   async processChanges(assets: Assets): Promise<void> {

src/tools/auth0/handlers/guardianPhoneFactorMessageTypes.ts

@@ -1,7 +1,8 @@
+import { GetMessageTypes200Response } from 'auth0';
 import DefaultHandler from './default';
 import constants from '../../constants';
 import { Asset, Assets } from '../../../types';
-import { GetMessageTypes200Response } from 'auth0';
+import { isForbiddenFeatureError } from '../../utils';
 
 export const schema = {
   type: 'object',
@@ -45,26 +46,29 @@ export default class GuardianPhoneMessageTypesHandler extends DefaultHandler {
     });
   }
 
-  async getType(): Promise<Asset[] | {}> {
+  async getType(): Promise<Asset | null> {
     // in case client version does not support the operation
     if (
       !this.client.guardian ||
       typeof this.client.guardian.getPhoneFactorMessageTypes !== 'function'
     ) {
-      return {};
+      return null;
     }
 
     if (this.existing) return this.existing;
 
     try {
       const { data } = await this.client.guardian.getPhoneFactorMessageTypes();
       this.existing = data;
-    } catch (e) {
-      if (isFeatureUnavailableError(e)) {
+    } catch (err) {
+      if (isFeatureUnavailableError(err)) {
         // Gracefully skip processing this configuration value.
-        return {};
+        return null;
+      }
+      if (isForbiddenFeatureError(err, this.type)) {
+        return null;
       }
-      throw e;
+      throw err;
     }
 
     return this.existing;

src/tools/auth0/handlers/guardianPhoneFactorSelectedProvider.ts

@@ -1,7 +1,8 @@
+import { GetPhoneProviders200Response } from 'auth0';
 import DefaultHandler from './default';
 import constants from '../../constants';
 import { Asset, Assets } from '../../../types';
-import { GetPhoneProviders200Response } from 'auth0';
+import { isForbiddenFeatureError } from '../../utils';
 
 export const schema = {
   type: 'object',
@@ -42,26 +43,29 @@ export default class GuardianPhoneSelectedProviderHandler extends DefaultHandler
     });
   }
 
-  async getType() {
+  async getType(): Promise<Asset | null> {
     // in case client version does not support the operation
     if (
       !this.client.guardian ||
       typeof this.client.guardian.getPhoneFactorSelectedProvider !== 'function'
     ) {
-      return {};
+      return null;
     }
 
     if (this.existing) return this.existing;
 
     try {
       const { data } = await this.client.guardian.getPhoneFactorSelectedProvider();
       this.existing = data;
-    } catch (e) {
-      if (isFeatureUnavailableError(e)) {
+    } catch (err) {
+      if (isFeatureUnavailableError(err)) {
         // Gracefully skip processing this configuration value.
-        return {};
+        return null;
+      }
+      if (isForbiddenFeatureError(err, this.type)) {
+        return null;
       }
-      throw e;
+      throw err;
     }
 
     return this.existing;

src/tools/utils.ts

@@ -275,3 +275,11 @@ export const isDeprecatedError = (err: { message: string; statusCode: number }):
   if (!err) return false;
   return !!(err.statusCode === 403 || err.message?.includes('deprecated feature'));
 };
+
+export const isForbiddenFeatureError = (err, type): boolean => {
+  if (err.statusCode === 403) {
+    log.warn(`${err.message};${err.errorCode ?? ''} - Skipping ${type}`);
+    return true;
+  }
+  return false;
+};

test/tools/auth0/handlers/guardianFactorProviders.tests.js

@@ -59,6 +59,28 @@ describe('#guardianFactorProviders handler', () => {
   });
 
   describe('#guardianFactorProviders process', () => {
+    it('should handle forbidden error', async () => {
+      const throwForbidden = () => {
+        const error = new Error('Forbidden resource access');
+        error.statusCode = 403;
+        throw error;
+      };
+
+      const auth0 = {
+        guardian: {
+          getPhoneFactorProviderTwilio: throwForbidden,
+          getSmsFactorProviderTwilio: throwForbidden,
+          getPushNotificationProviderAPNS: throwForbidden,
+          getPushNotificationProviderSNS: throwForbidden,
+        },
+        pool,
+      };
+
+      const handler = new guardianFactorProvidersTests.default({ client: auth0, config });
+      const data = await handler.getType();
+      expect(data).to.equal(null);
+    });
+
     it('should get guardianFactorProviders', async () => {
       const auth0 = {
         guardian: {

test/tools/auth0/handlers/guardianFactorTemplates.tests.js

@@ -56,6 +56,23 @@ describe('#guardianFactorTemplates handler', () => {
   });
 
   describe('#guardianFactorTemplates process', () => {
+    it('should handle forbidden error', async () => {
+      const auth0 = {
+        guardian: {
+          getSmsFactorTemplates: () => {
+            const error = new Error('Forbidden resource access');
+            error.statusCode = 403;
+            throw error;
+          },
+        },
+        pool,
+      };
+
+      const handler = new guardianFactorTemplatesTests.default({ client: auth0, config });
+      const data = await handler.getType();
+      expect(data).to.equal(null);
+    });
+
     it('should get guardianFactorTemplates', async () => {
       const auth0 = {
         guardian: {

test/tools/auth0/handlers/guardianFactors.tests.js

@@ -55,6 +55,23 @@ describe('#guardianFactors handler', () => {
   });
 
   describe('#guardianFactors process', () => {
+    it('should handle forbidden error', async () => {
+      const auth0 = {
+        guardian: {
+          getFactors: () => {
+            const error = new Error('Forbidden resource access');
+            error.statusCode = 403;
+            throw error;
+          },
+        },
+        pool,
+      };
+
+      const handler = new guardianFactorsTests.default({ client: auth0, config });
+      const data = await handler.getType();
+      expect(data).to.equal(null);
+    });
+
     it('should get guardianFactors', async () => {
       const factors = [
         { name: 'sms', enabled: true },

test/tools/auth0/handlers/guardianPhoneFactorMessageTypes.tests.js

@@ -12,7 +12,7 @@ describe('#guardianPhoneFactorMessageTypes handler', () => {
 
       const handler = new guardianPhoneFactorMessageTypes.default({ client: auth0 });
       const data = await handler.getType();
-      expect(data).to.deep.equal({});
+      expect(data).to.deep.equal(null);
     });
 
     it('should support when endpoint does not exist (older installations)', async () => {
@@ -42,7 +42,7 @@ describe('#guardianPhoneFactorMessageTypes handler', () => {
 
       const handler = new guardianPhoneFactorMessageTypes.default({ client: auth0 });
       const data = await handler.getType();
-      expect(data).to.deep.equal({});
+      expect(data).to.deep.equal(null);
     });
 
     it('should support when endpoint is disabled for tenant', async () => {
@@ -73,7 +73,7 @@ describe('#guardianPhoneFactorMessageTypes handler', () => {
 
       const handler = new guardianPhoneFactorMessageTypes.default({ client: auth0 });
       const data = await handler.getType();
-      expect(data).to.deep.equal({});
+      expect(data).to.deep.equal(null);
     });
 
     it('should get guardian phone factor message types', async () => {
@@ -140,7 +140,7 @@ describe('#guardianPhoneFactorMessageTypes handler', () => {
       const handler = new guardianPhoneFactorMessageTypes.default({ client: auth0 });
       const stageFn = Object.getPrototypeOf(handler).processChanges;
 
-      await stageFn.apply(handler, [{ guardianPhoneFactorMessageTypes: {} }]);
+      await stageFn.apply(handler, [{ guardianPhoneFactorMessageTypes: null }]);
     });
   });
 });