fix(auth): stop writing OAuth validation errors directly to res

PierreBrisorgueil · PierreBrisorgueil · commit 1ae9393d383a · 2026-02-21T15:57:17.000+01:00
diff --git a/modules/auth/controllers/auth.controller.js b/modules/auth/controllers/auth.controller.js
@@ -113,7 +113,7 @@ const oauthCall = (req, res, next) => {
  * @param {Object} providerUserProfile
  * @param {Function} done - done
  */
-const checkOAuthUserProfile = async (profil, key, provider, res) => {
+const checkOAuthUserProfile = async (profil, key, provider) => {
   // check if user exist
   try {
     const query = {};
@@ -137,10 +137,11 @@ const checkOAuthUserProfile = async (profil, key, provider, res) => {
     const result = model.getResultFromZod(user, UsersSchema.User);
     // check error
     const error = model.checkError(result);
-    if (error) return responses.error(res, 422, 'Schema validation error', error)(result.error);
+    if (error) throw new AppError('Schema validation error', { code: 'VALIDATION_ERROR', details: { message: error } });
     // else return req.body with the data after Zod validation
     return await UserService.create(result.value);
   } catch (err) {
+    if (err instanceof AppError) throw err;
     throw new AppError('oAuth', { code: 'CONTROLLER_ERROR', details: err.details || err });
   }
 };
@@ -163,7 +164,7 @@ const oauthCallback = async (req, res, next) => {
         providerData: {},
       };
       user.providerData[req.body.key] = req.body.value;
-      user = await checkOAuthUserProfile(user, req.body.key, strategy, res);
+      user = await checkOAuthUserProfile(user, req.body.key, strategy);
       const token = jwt.sign({ userId: user.id }, config.jwt.secret, {
         expiresIn: config.jwt.expiresIn,
       });
@@ -177,7 +178,12 @@ const oauthCallback = async (req, res, next) => {
           message: 'oAuth Ok',
         });
     } catch (err) {
-      return responses.error(res, 422, 'Unprocessable Entity', errors.getMessage(err.details || err))(err);
+      return responses.error(
+        res,
+        422,
+        err instanceof AppError && err.code === 'VALIDATION_ERROR' ? errors.getMessage(err) : 'Unprocessable Entity',
+        errors.getMessage(err.details || err),
+      )(err);
     }
   }
   // classic web oAuth
diff --git a/modules/auth/tests/auth.integration.tests.js b/modules/auth/tests/auth.integration.tests.js
@@ -486,28 +486,30 @@ describe('Auth integration tests:', () => {
         avatar: '',
         providerData: { id: 'google-fake-id-999' },
       };
-      const mockRes = { status() { return this; }, json() {}, cookie() { return this; } };
-      const result = await AuthController.checkOAuthUserProfile(profil, 'id', 'google', mockRes);
+      const result = await AuthController.checkOAuthUserProfile(profil, 'id', 'google');
       expect(result).toBeDefined();
       expect(result.id).toBeDefined();
       expect(result.email).toBe(profil.email);
       oauthUsers.push(result);
     });
 
-    test('should return 422 when checkOAuthUserProfile receives an invalid profile', async () => {
+    test('should throw validation AppError when checkOAuthUserProfile receives an invalid profile', async () => {
       const invalidProfil = {
         firstName: '', // invalid — fails min(1)
         lastName: 'Test',
         email: 'invalid-oauth@test.com',
         avatar: '',
         providerData: { id: 'google-invalid-999' },
       };
-      const errors = [];
-      const mockRes = { status() { return this; }, json(body) { errors.push(body); }, cookie() { return this; } };
-      const result = await AuthController.checkOAuthUserProfile(invalidProfil, 'id', 'google', mockRes);
-      expect(result).toBeDefined();
-      expect(result.type).toBe('error');
-      expect(errors[0]?.message).toBe('Schema validation error');
+      await expect(
+        AuthController.checkOAuthUserProfile(invalidProfil, 'id', 'google'),
+      ).rejects.toMatchObject({
+        message: 'Schema validation error',
+        code: 'VALIDATION_ERROR',
+        details: {
+          message: expect.any(String),
+        },
+      });
     });
 
     test('should throw AppError when create fails inside checkOAuthUserProfile', async () => {
@@ -518,10 +520,9 @@ describe('Auth integration tests:', () => {
         avatar: '',
         providerData: { id: 'google-err-000' },
       };
-      const mockRes = { status() { return this; }, json() {}, cookie() { return this; } };
       const createSpy = jest.spyOn(UserService, 'create').mockRejectedValueOnce(new Error('DB error'));
       await expect(
-        AuthController.checkOAuthUserProfile(profil, 'id', 'google', mockRes),
+        AuthController.checkOAuthUserProfile(profil, 'id', 'google'),
       ).rejects.toThrow('oAuth');
       createSpy.mockRestore();
     });
@@ -590,9 +591,8 @@ describe('Auth integration tests:', () => {
         avatar: '',
         providerData: { id: 'google-find-id-777' },
       };
-      const mockRes = { status() { return this; }, json() {}, cookie() { return this; } };
       // Second call — should find the existing user (search.length === 1 branch)
-      const found = await AuthController.checkOAuthUserProfile(profil, 'id', 'google', mockRes);
+      const found = await AuthController.checkOAuthUserProfile(profil, 'id', 'google');
       expect(found).toBeDefined();
 
       // cleanup
