( authHook: HttpAuthHook | null, context: HttpAuthHookContext, )
| 424 | } |
| 425 | |
| 426 | async function runHttpAuthHook( |
| 427 | authHook: HttpAuthHook | null, |
| 428 | context: HttpAuthHookContext, |
| 429 | ): Promise<HttpAuthDecision> { |
| 430 | if (!authHook) return { ok: true }; |
| 431 | const result = await authHook(context); |
| 432 | if (result === undefined || result === true) return { ok: true }; |
| 433 | if (result === false) { |
| 434 | const normalized = normalizeError( |
| 435 | new AppError('UNAUTHORIZED', 'Request rejected by auth hook'), |
| 436 | ); |
| 437 | return { |
| 438 | ok: false, |
| 439 | statusCode: 401, |
| 440 | response: createRpcError( |
| 441 | context.rpcRequest.id ?? null, |
| 442 | -32001, |
| 443 | normalized.message, |
| 444 | normalized, |
| 445 | ), |
| 446 | }; |
| 447 | } |
| 448 | if (result.ok === false) { |
| 449 | const normalized = normalizeError( |
| 450 | new AppError( |
| 451 | toAppErrorCode(result.code, 'UNAUTHORIZED'), |
| 452 | result.message ?? 'Request rejected by auth hook', |
| 453 | result.details, |
| 454 | ), |
| 455 | ); |
| 456 | return { |
| 457 | ok: false, |
| 458 | statusCode: 401, |
| 459 | response: createRpcError( |
| 460 | context.rpcRequest.id ?? null, |
| 461 | -32001, |
| 462 | normalized.message, |
| 463 | normalized, |
| 464 | ), |
| 465 | }; |
| 466 | } |
| 467 | if (typeof result.tenantId === 'string' && result.tenantId.length > 0) { |
| 468 | const tenantId = normalizeTenantId(result.tenantId); |
| 469 | if (!tenantId) { |
| 470 | const normalized = normalizeError( |
| 471 | new AppError('INVALID_ARGS', 'Auth hook returned invalid tenantId'), |
| 472 | ); |
| 473 | return { |
| 474 | ok: false, |
| 475 | statusCode: 500, |
| 476 | response: createRpcError( |
| 477 | context.rpcRequest.id ?? null, |
| 478 | -32000, |
| 479 | normalized.message, |
| 480 | normalized, |
| 481 | ), |
| 482 | }; |
| 483 | } |
no test coverage detected