[iso-core] Split cert validation error handling off socket error handling

Summary: Now that we don't do strict validation of certificates for non-major IMAP providers this shouldn't come up as much, but when it does we're gonna want a better error message to help support out. I am not 100% sure there aren't other socket errors that should be fatal, but this was the one I could figure out by test authing against a server with a self-signed cert and grepping around the node socket source code. Test Plan: manual Reviewers: evan, juan Reviewed By: juan Differential Revision: https://phab.nylas.com/D3774
2025-09-04 11:44:47 +08:00 · 2017-01-24 18:48:24 -08:00 · 2017-01-24 18:48:24 -08:00 · 933ebdfebb
commit 933ebdfebb
parent ddcd097c9b
2 changed files with 20 additions and 1 deletions
--- a/packages/isomorphic-core/src/auth-helpers.js
+++ b/packages/isomorphic-core/src/auth-helpers.js
@ -33,6 +33,7 @@ const USER_ERRORS = {
  AUTH_500: "Please contact support@nylas.com. An unforeseen error has occurred.",
  IMAP_AUTH: "Incorrect username or password",
  IMAP_RETRY: "We were unable to reach your mail provider. Please try again.",
+  IMAP_CERT: "We couldn't make a secure connection to your mail provider. Please contact support@nylas.com.",
 }

 const SUPPORTED_PROVIDERS = new Set(
@ -147,6 +148,11 @@ module.exports = {
          reply({message: USER_ERRORS.IMAP_AUTH, type: "api_error"}).code(401);
          return
        }
+        if (err instanceof IMAPErrors.IMAPCertificateError) {
+          global.Logger.error({err}, 'Encountered certificate error while attempting to authenticate')
+          reply({message: USER_ERRORS.IMAP_CERT, type: "api_error"}).code(401);
+          return
+        }
        if (err instanceof IMAPErrors.RetryableError) {
          if (retryNum < MAX_RETRIES) {
            setTimeout(() => {
--- a/packages/isomorphic-core/src/imap-errors.js
+++ b/packages/isomorphic-core/src/imap-errors.js
@ -28,6 +28,13 @@ class IMAPConnectionEndedError extends NylasError {
  }
 }

+/**
+ * Certificate validation failures may correct themselves over long spans
+ * of time, but not over the short spans of time in which it'd make sense
+ * for us to retry.
+ */
+class IMAPCertificateError extends NylasError { }
+
 /**
 * IMAPErrors may come from:
 *
@ -75,7 +82,12 @@ function convertImapError(imapError) {
    case "timeout":
      error = new IMAPConnectionTimeoutError(imapError); break;
    case "socket":
-      error = new IMAPSocketError(imapError); break;
+      if (imapError.code === "UNABLE_TO_VERIFY_LEAF_SIGNATURE") {
+        error = new IMAPCertificateError(imapError);
+      } else {
+        error = new IMAPSocketError(imapError);
+      }
+      break;
    case "protocol":
      error = new IMAPProtocolError(imapError); break;
    case "authentication":
@ -100,4 +112,5 @@ module.exports = {
  IMAPTransientAuthenticationError,
  IMAPConnectionNotReadyError,
  IMAPConnectionEndedError,
+  IMAPCertificateError,
 };