From cee5a11850b9ded4e1f50d8aadecdb52650a9163 Mon Sep 17 00:00:00 2001
From: Olivier Le Thanh Duong <olivier@lethanh.be>
Date: Fri, 28 Mar 2025 12:04:24 +0100
Subject: [PATCH] enh: Operator auth. Better http error

make it more clear what the error is so it is easier for
client and sdk developper to debug auth problem
---
 src/aleph/vm/orchestrator/views/authentication.py | 12 +++++++++---
 tests/supervisor/test_authentication.py           |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/aleph/vm/orchestrator/views/authentication.py b/src/aleph/vm/orchestrator/views/authentication.py
index 55ed624ef..8dadda2d2 100644
--- a/src/aleph/vm/orchestrator/views/authentication.py
+++ b/src/aleph/vm/orchestrator/views/authentication.py
@@ -234,13 +234,19 @@ async def authenticate_jwk(request: web.Request) -> str:
     signed_operation = get_signed_operation(request)
     if signed_operation.content.domain != settings.DOMAIN_NAME:
         logger.debug(f"Invalid domain '{signed_operation.content.domain}' != '{settings.DOMAIN_NAME}'")
-        raise web.HTTPUnauthorized(reason="Invalid domain")
+        raise web.HTTPUnauthorized(
+            reason=f"Invalid domain: Signed: '{signed_operation.content.domain}' != Request: '{settings.DOMAIN_NAME}'"
+        )
     if signed_operation.content.path != request.path:
         logger.debug(f"Invalid path '{signed_operation.content.path}' != '{request.path}'")
-        raise web.HTTPUnauthorized(reason="Invalid path")
+        raise web.HTTPUnauthorized(
+            reason=f"Invalid path. Signed: '{signed_operation.content.path}' !=  requested path: '{request.path}'"
+        )
     if signed_operation.content.method != request.method:
         logger.debug(f"Invalid method '{signed_operation.content.method}' != '{request.method}'")
-        raise web.HTTPUnauthorized(reason="Invalid method")
+        raise web.HTTPUnauthorized(
+            reason=f"Invalid method. Signed: '{signed_operation.content.method}' !=  request:'{request.method}"
+        )
     return verify_signed_operation(signed_operation, signed_pubkey)
 
 
diff --git a/tests/supervisor/test_authentication.py b/tests/supervisor/test_authentication.py
index b46dd315f..19b841d83 100644
--- a/tests/supervisor/test_authentication.py
+++ b/tests/supervisor/test_authentication.py
@@ -194,7 +194,7 @@ async def view(request, authenticated_sender):
     assert resp.status == 401, await resp.text()
 
     r = await resp.json()
-    assert {"error": "Invalid domain"} == r
+    assert {"error": "Invalid domain: Signed: 'baddomain' != Request: 'localhost'"} == r
 
 
 @pytest.mark.asyncio