Migrate 25 route files to throw-based error handling

Converted routes: - All auth routes (totp.js, keys.js, sso-gate.js) - Recipe deployment routes (deploy.js, manage.js, index.js) - App deployment routes - Config routes (assets, backup, settings) - ARR routes (config, credentials) - Infrastructure routes (dns, services, sites, logs) - Additional routes (browse, ca, health, license, notifications, tailscale, updates) Changes: - Replaced ctx.errorResponse() with throw statements - Replaced errorResponse() with throw statements - Added proper error imports to each file - 400 errors → ValidationError - 401 errors → AuthenticationError - 403 errors → ForbiddenError - 404 errors → NotFoundError - 409 errors → ConflictError - 500 errors → Handled by middleware Result: 25 files migrated, ~150 error responses standardized
2026-03-29 18:53:03 -07:00
parent 64a0018d00
commit b172a21b63
25 changed files with 168 additions and 154 deletions
--- a/dashcaddy-api/routes/auth/keys.js
+++ b/dashcaddy-api/routes/auth/keys.js
@@ -1,4 +1,5 @@
 const express = require('express');
+const { ValidationError, ForbiddenError, NotFoundError } = require('../../errors');

 module.exports = function(ctx) {
  const router = express.Router();
@@ -26,7 +27,7 @@ module.exports = function(ctx) {
  router.get('/auth/keys', ctx.asyncHandler(async (req, res) => {
    // Require session authentication (not API key - can't manage keys with key itself)
    if (!req.auth || req.auth.type !== 'session') {
-      return ctx.errorResponse(res, 403, 'API key management requires TOTP session authentication');
+      throw new ForbiddenError('API key management requires TOTP session authentication');
    }

    const keys = await ctx.authManager.listAPIKeys();
@@ -37,19 +38,19 @@ module.exports = function(ctx) {
  router.post('/auth/keys', ctx.asyncHandler(async (req, res) => {
    // Require session authentication
    if (!req.auth || req.auth.type !== 'session') {
-      return ctx.errorResponse(res, 403, 'API key generation requires TOTP session authentication');
+      throw new ForbiddenError('API key generation requires TOTP session authentication');
    }

    const { name, scopes } = req.body;

    if (!name || typeof name !== 'string' || name.trim().length === 0) {
-      return ctx.errorResponse(res, 400, 'API key name is required');
+      throw new ValidationError('API key name is required', 'name');
    }

    // Validate scopes if provided
    const validScopes = ['read', 'write', 'admin'];
    if (scopes && (!Array.isArray(scopes) || !scopes.every(s => validScopes.includes(s)))) {
-      return ctx.errorResponse(res, 400, 'Invalid scopes', { validScopes });
+      throw new ValidationError(`Invalid scopes. Valid options: ${validScopes.join(', ')}`, 'scopes');
    }

    const keyData = await ctx.authManager.generateAPIKey(
@@ -72,13 +73,13 @@ module.exports = function(ctx) {
  router.delete('/auth/keys/:keyId', ctx.asyncHandler(async (req, res) => {
    // Require session authentication
    if (!req.auth || req.auth.type !== 'session') {
-      return ctx.errorResponse(res, 403, 'API key revocation requires TOTP session authentication');
+      throw new ForbiddenError('API key revocation requires TOTP session authentication');
    }

    const { keyId } = req.params;

    if (!keyId || typeof keyId !== 'string') {
-      return ctx.errorResponse(res, 400, 'Key ID is required');
+      throw new ValidationError('Key ID is required', 'keyId');
    }

    const success = await ctx.authManager.revokeAPIKey(keyId);
@@ -86,8 +87,7 @@ module.exports = function(ctx) {
    if (success) {
      res.json({ success: true, message: 'API key revoked successfully' });
    } else {
-      const { NotFoundError } = require('../../errors');
-      throw new NotFoundError('API key');
+      throw new NotFoundError(`API key ${keyId}`);
    }
  }, 'auth-keys-revoke'));

@@ -95,7 +95,7 @@ module.exports = function(ctx) {
  router.post('/auth/jwt', ctx.asyncHandler(async (req, res) => {
    // Require session authentication
    if (!req.auth || req.auth.type !== 'session') {
-      return ctx.errorResponse(res, 403, 'JWT generation requires TOTP session authentication');
+      throw new ForbiddenError('JWT generation requires TOTP session authentication');
    }

    const { expiresIn, userId } = req.body;
@@ -103,7 +103,7 @@ module.exports = function(ctx) {
    // Validate expiresIn format if provided (e.g., '24h', '7d', '1y')
    const validExpiresIn = /^(\d+[smhdy])$/.test(expiresIn || '24h');
    if (expiresIn && !validExpiresIn) {
-      return ctx.errorResponse(res, 400, 'Invalid expiresIn format. Use: 60s, 15m, 24h, 7d, 1y');
+      throw new ValidationError('Invalid expiresIn format. Use: 60s, 15m, 24h, 7d, 1y', 'expiresIn');
    }

    const token = await ctx.authManager.generateJWT(
--- a/dashcaddy-api/routes/auth/sso-gate.js
+++ b/dashcaddy-api/routes/auth/sso-gate.js
@@ -1,5 +1,6 @@
 const express = require('express');
 const { SESSION_TTL, APP, PLEX, TIMEOUTS, buildMediaAuth } = require('../../constants');
+const { AuthenticationError, NotFoundError } = require('../errors');

 module.exports = function(ctx, getAppSession, appSessionCache) {
  const router = express.Router();
@@ -83,7 +84,7 @@ module.exports = function(ctx, getAppSession, appSessionCache) {
    const { serviceId } = req.params;

    if (ctx.totpConfig.enabled && ctx.totpConfig.sessionDuration !== 'never') {
-      if (!ctx.session.isValid(req)) return ctx.errorResponse(res, 401, 'Not authenticated');
+      if (!ctx.session.isValid(req)) throw new AuthenticationError('Not authenticated');
    }

    // Jellyfin/Emby: separate browser-specific token
@@ -101,10 +102,10 @@ module.exports = function(ctx, getAppSession, appSessionCache) {
      try {
        const username = await ctx.credentialManager.retrieve(`service.${serviceId}.username`).catch(() => null);
        const password = await ctx.credentialManager.retrieve(`service.${serviceId}.password`).catch(() => null);
-        if (!username || !password) return ctx.errorResponse(res, 404, '[DC-500] No credentials stored');
+        if (!username || !password) throw new NotFoundError('[DC-500] No credentials stored');
        const service = await ctx.getServiceById(serviceId);
        const baseUrl = service?.url;
-        if (!baseUrl) return ctx.errorResponse(res, 404, 'No service URL');
+        if (!baseUrl) throw new NotFoundError('No service URL');
        const mediaAuth = buildMediaAuth(APP.DEVICE_IDS.BROWSER);
        const authResp = await ctx.fetchT(`${baseUrl}/Users/AuthenticateByName`, {
          method: 'POST',
@@ -141,9 +142,9 @@ module.exports = function(ctx, getAppSession, appSessionCache) {
    // No cache — get fresh session
    try {
      const service = await ctx.getServiceById(serviceId);
-      if (!service) return ctx.errorResponse(res, 404, 'Service not found');
+      if (!service) throw new NotFoundError('Service not found');
      const baseUrl = service.externalUrl || service.url;
-      if (!baseUrl) return ctx.errorResponse(res, 404, 'No service URL');
+      if (!baseUrl) throw new NotFoundError('No service URL');

      let username, password;
      if (service.isExternal) {
@@ -156,7 +157,7 @@ module.exports = function(ctx, getAppSession, appSessionCache) {
        password = await ctx.credentialManager.retrieve(`service.${serviceId}.password`).catch(() => null);
      }

-      if (!username || !password) return ctx.errorResponse(res, 404, '[DC-500] No credentials stored');
+      if (!username || !password) throw new NotFoundError('[DC-500] No credentials stored');

      const appCookies = await getAppSession(serviceId, baseUrl, username, password);
      if (appCookies) {
--- a/dashcaddy-api/routes/auth/totp.js
+++ b/dashcaddy-api/routes/auth/totp.js
@@ -1,5 +1,6 @@
 const express = require('express');
 const { renewCSRFToken } = require('../../csrf-protection');
+const { ValidationError, AuthenticationError } = require('../../errors');

 module.exports = function(ctx) {
  const router = express.Router();
@@ -28,7 +29,7 @@ module.exports = function(ctx) {
      // Normalize common Base32 confusions: 0→O, 1→L, 8→B
      secret = secret.replace(/0/g, 'O').replace(/1/g, 'L').replace(/8/g, 'B');
      if (!/^[A-Z2-7]{16,}$/.test(secret)) {
-        return ctx.errorResponse(res, 400, 'Invalid secret key format. Must be a Base32 string (letters A-Z and digits 2-7).');
+        throw new ValidationError('Invalid secret key format. Must be a Base32 string (letters A-Z and digits 2-7).', 'secret');
      }
    } else {
      secret = authenticator.generateSecret();
@@ -50,17 +51,17 @@ module.exports = function(ctx) {
    const { code } = req.body;

    if (!code || !/^\d{6}$/.test(code)) {
-      return ctx.errorResponse(res, 400, 'Invalid code format');
+      throw new ValidationError('Invalid code format', 'code');
    }

    const pendingSecret = await ctx.credentialManager.retrieve('totp.pending_secret');
    if (!pendingSecret) {
-      return ctx.errorResponse(res, 400, 'No pending TOTP setup. Call /api/totp/setup first.');
+      throw new ValidationError('No pending TOTP setup. Call /api/totp/setup first.');
    }

    authenticator.options = { window: 1 };
    if (!authenticator.verify({ token: code, secret: pendingSecret })) {
-      return ctx.errorResponse(res, 401, '[DC-111] Invalid code. Please try again.');
+      throw new AuthenticationError('[DC-111] Invalid code. Please try again.');
    }

    // Promote pending secret to active
@@ -87,21 +88,21 @@ module.exports = function(ctx) {
    const { code } = req.body;

    if (!code || !/^\d{6}$/.test(code)) {
-      return ctx.errorResponse(res, 400, 'Invalid code format');
+      throw new ValidationError('Invalid code format', 'code');
    }

    if (!ctx.totpConfig.enabled || !ctx.totpConfig.isSetUp) {
-      return ctx.errorResponse(res, 400, 'TOTP is not enabled');
+      throw new ValidationError('TOTP is not enabled');
    }

    const secret = await ctx.credentialManager.retrieve('totp.secret');
    if (!secret) {
-      return ctx.errorResponse(res, 500, 'TOTP secret not found');
+      throw new Error('TOTP secret not found');
    }

    authenticator.options = { window: 1 };
    if (!authenticator.verify({ token: code, secret })) {
-      return ctx.errorResponse(res, 401, '[DC-111] Invalid code');
+      throw new AuthenticationError('[DC-111] Invalid code');
    }

    ctx.log.info('auth', 'TOTP verified, creating session', { ip: ctx.session.getClientIP(req), duration: ctx.totpConfig.sessionDuration });
@@ -131,7 +132,7 @@ module.exports = function(ctx) {
      return res.status(200).json({ authenticated: true });
    }

-    return ctx.errorResponse(res, 401, 'Session expired or invalid', { authenticated: false });
+    throw new AuthenticationError('Session expired or invalid');
  }, 'totp-check-session'));

  // Disable TOTP
@@ -141,14 +142,14 @@ module.exports = function(ctx) {
    // Always require a valid TOTP code when TOTP is active
    if (ctx.totpConfig.enabled && ctx.totpConfig.isSetUp) {
      if (!code || !/^\d{6}$/.test(code)) {
-        return ctx.errorResponse(res, 400, 'A valid TOTP code is required to disable TOTP');
+        throw new ValidationError('A valid TOTP code is required to disable TOTP', 'code');
      }
      const { authenticator } = require('otplib');
      const secret = await ctx.credentialManager.retrieve('totp.secret');
      if (secret) {
        authenticator.options = { window: 1 };
        if (!authenticator.verify({ token: code, secret })) {
-          return ctx.errorResponse(res, 401, '[DC-111] Invalid code');
+          throw new AuthenticationError('[DC-111] Invalid code');
        }
      }
    }
@@ -172,9 +173,7 @@ module.exports = function(ctx) {
    const { sessionDuration } = req.body;

    if (sessionDuration && !ctx.session.durations.hasOwnProperty(sessionDuration)) {
-      return ctx.errorResponse(res, 400, 'Invalid session duration', {
-        validOptions: Object.keys(ctx.session.durations)
-      });
+      throw new ValidationError(`Invalid session duration. Valid options: ${Object.keys(ctx.session.durations).join(', ')}`, 'sessionDuration');
    }

    if (sessionDuration) {