From 8ea386abe8f548d5df16ab959285da99f167e765 Mon Sep 17 00:00:00 2001
From: Alexander Onnikov <aonnikov@hardcoreeng.com>
Date: Tue, 8 Apr 2025 13:19:11 +0700
Subject: [PATCH] fix: handle token error in collaborator service (#8493)

Signed-off-by: Alexander Onnikov <Alexander.Onnikov@xored.com>
---
 server/collaborator/src/server.ts | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/server/collaborator/src/server.ts b/server/collaborator/src/server.ts
index 5989975e05..b0bde7bdc9 100644
--- a/server/collaborator/src/server.ts
+++ b/server/collaborator/src/server.ts
@@ -16,7 +16,7 @@
 import { Analytics } from '@hcengineering/analytics'
 import { MeasureContext, generateId, metricsAggregate } from '@hcengineering/core'
 import type { StorageAdapter } from '@hcengineering/server-core'
-import { Token, decodeToken } from '@hcengineering/server-token'
+import { Token, TokenError, decodeToken } from '@hcengineering/server-token'
 import { Hocuspocus } from '@hocuspocus/server'
 import bp from 'body-parser'
 import cors from 'cors'
@@ -132,6 +132,11 @@ export async function start (ctx: MeasureContext, config: Config, storageAdapter
       })
       res.end(json)
     } catch (err: any) {
+      if (err instanceof TokenError) {
+        res.status(401).send({ error: 'Unauthorized' })
+        return
+      }
+
       ctx.error('statistics error', { err })
       Analytics.handleError(err)
       res.writeHead(404, {})
@@ -143,7 +148,16 @@ export async function start (ctx: MeasureContext, config: Config, storageAdapter
   app.post('/rpc/:id', async (req, res) => {
     const authHeader = req.headers.authorization
     if (authHeader === undefined) {
-      res.status(403).send({ error: 'Unauthorized' })
+      res.status(401).send({ error: 'Unauthorized' })
+      return
+    }
+
+    const rawToken = authHeader.split(' ')[1]
+    let token: Token
+    try {
+      token = decodeToken(rawToken)
+    } catch {
+      res.status(401).send({ error: 'Unauthorized' })
       return
     }
 
@@ -167,8 +181,6 @@ export async function start (ctx: MeasureContext, config: Config, storageAdapter
       return
     }
 
-    const rawToken = authHeader.split(' ')[1]
-    const token = decodeToken(rawToken)
     const context = await getContext(rawToken, token)
 
     rpcCtx.info('rpc', { method: request.method, connectionId: context.connectionId, mode: token.extra?.mode ?? '' })