fix(#411): narrow verifySession allowlist — prevent false-positive infra error classification

Replace broad "expired" and "unauthorized" substring matches with specific patterns to prevent infrastructure errors from being misclassified as auth errors: - "expired" -> "token expired", "session expired", or exact match "expired" - "unauthorized" -> exact match "unauthorized" only This prevents TLS errors like "certificate has expired" and DB auth errors like "Unauthorized: Access denied for user" from being silently swallowed as 401 responses. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 15:42:10 -06:00
parent b675db1324
commit 399d5a31c8
2 changed files with 59 additions and 3 deletions
--- a/apps/api/src/auth/auth.service.ts
+++ b/apps/api/src/auth/auth.service.ts
@@ -130,10 +130,12 @@ export class AuthService {
        const msg = error.message.toLowerCase();
        const isExpectedAuthError =
          msg.includes("invalid token") ||
-          msg.includes("expired") ||
+          msg.includes("token expired") ||
+          msg.includes("session expired") ||
          msg.includes("session not found") ||
-          msg.includes("unauthorized") ||
-          msg.includes("invalid session");
+          msg.includes("invalid session") ||
+          msg === "unauthorized" ||
+          msg === "expired";

        if (!isExpectedAuthError) {
          // Infrastructure or unexpected — propagate as 500