fix(#411): remediate backend review findings — COOKIE_DOMAIN, TRUSTED_ORIGINS validation, verifySession

- Wire COOKIE_DOMAIN env var into BetterAuth cookie config - Add URL validation for TRUSTED_ORIGINS (rejects non-HTTP, invalid URLs) - Include original parse error in validateRedirectUri error message - Distinguish infrastructure errors from auth errors in verifySession (Prisma/connection errors now propagate as 500 instead of masking as 401) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 12:31:53 -06:00
parent 3fbba135b9
commit 7ead8b1076
4 changed files with 166 additions and 7 deletions
--- a/apps/api/src/auth/auth.service.ts
+++ b/apps/api/src/auth/auth.service.ts
@@ -108,9 +108,26 @@ export class AuthService {
        session: session.session as Record<string, unknown>,
      };
    } catch (error) {
-      this.logger.error(
+      // Infrastructure errors (database down, connection failures) should propagate
+      // so the global exception filter returns 500/503, not 401
+      if (
+        error instanceof Error &&
+        (error.constructor.name.startsWith("Prisma") ||
+          error.message.includes("connect") ||
+          error.message.includes("ECONNREFUSED") ||
+          error.message.includes("timeout"))
+      ) {
+        this.logger.error(
+          "Session verification failed due to infrastructure error",
+          error.stack,
+        );
+        throw error;
+      }
+
+      // Expected auth errors (invalid/expired token) return null
+      this.logger.warn(
        "Session verification failed",
-        error instanceof Error ? error.message : "Unknown error"
+        error instanceof Error ? error.message : "Unknown error",
      );
      return null;
    }