fix: error handling and schema config

Author: vhscom

apps/cloudflare-workers/src/app.ts

@@ -21,6 +21,7 @@ import {
 // [obs-plugin 1/2] Remove this import and the override below to disable observability
 import { observabilityPlugin } from "@private-landing/observability";
 import {
+	AuthenticationError,
 	type Env,
 	ValidationError,
 	type Variables,
@@ -42,6 +43,7 @@ const sessions =
 		? createMirroredSessionService({
 				inner: auth.sessions,
 				getClientIp: defaultGetClientIp,
+				...auth.config.sessions,
 			})
 		: auth.sessions;
 
@@ -62,6 +64,24 @@ type AppEnv = { Bindings: Env; Variables: Variables };
 
 const app = new Hono<AppEnv>();
 
+// Global error boundary — prevents leaking stack traces or internal details
+app.onError((err, ctx) => {
+	if (err instanceof AuthenticationError) {
+		return ctx.json(
+			{ error: err.message, code: err.code },
+			err.statusCode as 400,
+		);
+	}
+	if (err instanceof ValidationError) {
+		return ctx.json({ error: err.message, code: err.code }, 400);
+	}
+	console.error("Unhandled error:", err);
+	return ctx.json(
+		{ error: "Internal server error", code: "INTERNAL_ERROR" },
+		500,
+	);
+});
+
 // No-op defaults — active when observability plugin is not loaded
 const noop: MiddlewareHandler<AppEnv> = async (_, next) => next();
 let obsEmit: (eventType: string) => MiddlewareHandler<AppEnv> = () => noop;
@@ -185,13 +205,18 @@ app.post("/auth/register", rateLimit(rateLimits.register), async (ctx) => {
 			type: "registration.failure",
 			detail: { email: domain },
 		});
+		const isConstraint =
+			error instanceof Error && error.message.includes("UNIQUE constraint");
 		if (json) {
-			if (error instanceof ValidationError) {
-				return ctx.json({ error: error.message, code: error.code }, 400);
+			if (error instanceof ValidationError || isConstraint) {
+				return ctx.json(
+					{ error: "Registration failed", code: "REGISTRATION_ERROR" },
+					400,
+				);
 			}
 			return ctx.json(
 				{ error: "Registration failed", code: "REGISTRATION_ERROR" },
-				400,
+				500,
 			);
 		}
 		return ctx.redirect("/#error");
@@ -287,7 +312,7 @@ app.post(
 				}
 				return ctx.json(
 					{ error: "Password change failed", code: "PASSWORD_CHANGE_ERROR" },
-					400,
+					500,
 				);
 			}
 			return ctx.redirect("/#error");

packages/core/src/auth/services/mirrored-session-service.ts

@@ -14,14 +14,26 @@ import type {
 	AuthContext,
 	GetClientIpFn,
 	SessionConfig,
+	SessionTableConfig,
 } from "@private-landing/types";
 import { defaultSessionConfig } from "../config";
 import type { SessionService } from "./session-service";
 
+/** Default table/column names — matches session-service.ts defaults */
+const DEFAULT_TABLE_CONFIG: Required<SessionTableConfig> = {
+	tableName: "session",
+	idColumn: "id",
+	userIdColumn: "user_id",
+	userAgentColumn: "user_agent",
+	ipAddressColumn: "ip_address",
+	expiresAtColumn: "expires_at",
+	createdAtColumn: "created_at",
+};
+
 /**
  * Configuration for the mirrored session decorator.
  */
-export interface MirroredSessionServiceConfig {
+export interface MirroredSessionServiceConfig extends SessionTableConfig {
 	/** The inner session service to decorate (typically cache-backed) */
 	inner: SessionService;
 	/** Factory that creates a DB client for SQL writes */
@@ -41,7 +53,13 @@ export interface MirroredSessionServiceConfig {
 export function createMirroredSessionService(
 	config: MirroredSessionServiceConfig,
 ): SessionService {
-	const { inner, createDbClient = defaultCreateDbClient, getClientIp } = config;
+	const {
+		inner,
+		createDbClient = defaultCreateDbClient,
+		getClientIp,
+		...tableConfig
+	} = config;
+	const rc = { ...DEFAULT_TABLE_CONFIG, ...tableConfig };
 
 	return {
 		async createSession(
@@ -67,7 +85,7 @@ export function createMirroredSessionService(
 				const db = createDbClient(ctx.env);
 
 				await db.execute({
-					sql: `INSERT INTO session (id, user_id, user_agent, ip_address, expires_at, created_at)
+					sql: `INSERT INTO ${rc.tableName} (${rc.idColumn}, ${rc.userIdColumn}, ${rc.userAgentColumn}, ${rc.ipAddressColumn}, ${rc.expiresAtColumn}, ${rc.createdAtColumn})
 						  VALUES (?, ?, ?, ?, datetime('now', '+' || ? || ' seconds'), datetime('now'))`,
 					args: [
 						sessionId,
@@ -81,13 +99,13 @@ export function createMirroredSessionService(
 				// Mirror the session limit enforcement (expire oldest beyond maxSessions)
 				await db.execute({
 					sql: `WITH ranked AS (
-						    SELECT id, ROW_NUMBER() OVER (
-						      PARTITION BY user_id ORDER BY created_at DESC
-						    ) AS rn FROM session
-						    WHERE user_id = ? AND expires_at > datetime('now')
+						    SELECT ${rc.idColumn}, ROW_NUMBER() OVER (
+						      PARTITION BY ${rc.userIdColumn} ORDER BY ${rc.createdAtColumn} DESC
+						    ) AS rn FROM ${rc.tableName}
+						    WHERE ${rc.userIdColumn} = ? AND ${rc.expiresAtColumn} > datetime('now')
 						  )
-						  UPDATE session SET expires_at = datetime('now')
-						  WHERE id IN (SELECT id FROM ranked WHERE rn > ?)`,
+						  UPDATE ${rc.tableName} SET ${rc.expiresAtColumn} = datetime('now')
+						  WHERE ${rc.idColumn} IN (SELECT ${rc.idColumn} FROM ranked WHERE rn > ?)`,
 					args: [userId, sessionConfig.maxSessions],
 				});
 			} catch (error) {
@@ -107,7 +125,7 @@ export function createMirroredSessionService(
 				if (payload?.sid) {
 					const db = createDbClient(ctx.env);
 					await db.execute({
-						sql: "UPDATE session SET expires_at = datetime('now') WHERE id = ?",
+						sql: `UPDATE ${rc.tableName} SET ${rc.expiresAtColumn} = datetime('now') WHERE ${rc.idColumn} = ?`,
 						args: [payload.sid],
 					});
 				}
@@ -125,7 +143,7 @@ export function createMirroredSessionService(
 			try {
 				const db = createDbClient(ctx.env);
 				await db.execute({
-					sql: "UPDATE session SET expires_at = datetime('now') WHERE user_id = ? AND expires_at > datetime('now')",
+					sql: `UPDATE ${rc.tableName} SET ${rc.expiresAtColumn} = datetime('now') WHERE ${rc.userIdColumn} = ? AND ${rc.expiresAtColumn} > datetime('now')`,
 					args: [userId],
 				});
 			} catch (error) {

packages/core/src/auth/services/token-service.ts

@@ -5,7 +5,11 @@
  * @license Apache-2.0
  */
 
-import type { TokenConfig, TokenPayload } from "@private-landing/types";
+import {
+	ConfigurationError,
+	type TokenConfig,
+	type TokenPayload,
+} from "@private-landing/types";
 import type { Context } from "hono";
 import { sign } from "hono/jwt";
 import { tokenConfig as defaultTokenConfig } from "../config";
@@ -70,7 +74,7 @@ export function createTokenService(
 			sessionId: string,
 		): Promise<{ accessToken: string; refreshToken: string }> {
 			if (!ctx.env.JWT_ACCESS_SECRET || !ctx.env.JWT_REFRESH_SECRET) {
-				throw new Error("Missing token signing secrets");
+				throw new ConfigurationError("Missing token signing secrets");
 			}
 
 			// Generate refresh token
@@ -118,7 +122,7 @@ export function createTokenService(
 			payload: TokenPayload,
 		): Promise<string> {
 			if (!ctx.env.JWT_ACCESS_SECRET) {
-				throw new Error("Missing access token signing secret");
+				throw new ConfigurationError("Missing access token signing secret");
 			}
 
 			// Generate new access token with same session_id

packages/schemas/src/utils/format.ts

@@ -104,3 +104,17 @@ export class ValidationError extends Error {
 		Object.setPrototypeOf(this, ValidationError.prototype);
 	}
 }
+
+/**
+ * Error for missing or invalid service configuration.
+ * Thrown when required environment variables or secrets are absent at runtime.
+ */
+export class ConfigurationError extends Error {
+	readonly code = "CONFIGURATION_ERROR" as const;
+
+	constructor(message: string) {
+		super(message);
+		this.name = "ConfigurationError";
+		Object.setPrototypeOf(this, ConfigurationError.prototype);
+	}
+}