refactor(worker): removes dead code, uses SealError class

wgordon17 · wgordon17 · commit 7a4011815f12 · 2026-04-09T09:11:53.000-04:00
diff --git a/src/app/lib/proxy.ts b/src/app/lib/proxy.ts
@@ -102,6 +102,16 @@ export async function proxyFetch(
   });
 }
 
+export class SealError extends Error {
+  readonly status: number;
+
+  constructor(status: number, code: string) {
+    super(code);
+    this.name = "SealError";
+    this.status = status;
+  }
+}
+
 export async function sealApiToken(token: string, purpose: string): Promise<string> {
   const siteKey = import.meta.env.VITE_TURNSTILE_SITE_KEY as string | undefined;
   const turnstileToken = await acquireTurnstileToken(siteKey ?? "");
@@ -115,14 +125,14 @@ export async function sealApiToken(token: string, purpose: string): Promise<stri
   });
 
   if (!res.ok) {
-    let message = "unknown_error";
+    let code = "unknown_error";
     try {
-      const body = (await res.json()) as { code?: string; error?: string };
-      message = body.error ?? message;
+      const body = (await res.json()) as { error?: string };
+      code = body.error ?? code;
     } catch {
-      // ignore parse errors — keep default message
+      // ignore parse errors — keep default code
     }
-    throw { status: res.status, message };
+    throw new SealError(res.status, code);
   }
 
   const data = (await res.json()) as { sealed: string };
diff --git a/src/worker/crypto.ts b/src/worker/crypto.ts
@@ -200,27 +200,4 @@ export async function verifySession(
   }
 }
 
-/**
- * Verifies a session signature, falling back to prevKey if currentKey fails.
- * Both salt and info must match the values used during signing (issueSession).
- */
-export async function verifySessionWithRotation(
-  payload: string,
-  signature: string,
-  currentKey: string,
-  prevKey: string | undefined,
-  salt: string,
-  info: string
-): Promise<boolean> {
-  const current = await deriveKey(currentKey, salt, info, "sign");
-  if (await verifySession(payload, signature, current)) return true;
-
-  if (prevKey !== undefined) {
-    const prev = await deriveKey(prevKey, salt, info, "sign");
-    return verifySession(payload, signature, prev);
-  }
-
-  return false;
-}
-
 export { SEAL_SALT };
diff --git a/src/worker/session.ts b/src/worker/session.ts
@@ -130,13 +130,6 @@ export async function parseSession(
   }
 }
 
-/**
- * Returns a Set-Cookie header value that clears the session cookie.
- */
-export function clearSession(): string {
-  return `${SESSION_COOKIE_NAME}=; Path=/; Secure; HttpOnly; SameSite=Strict; Max-Age=0`;
-}
-
 /**
  * Returns the existing session ID if valid, or issues a new session.
  * Never throws — all error paths return a value.
@@ -161,5 +154,3 @@ export async function ensureSession(
     return { sessionId: crypto.randomUUID() };
   }
 }
-
-export { SESSION_HMAC_SALT, SESSION_HMAC_INFO };
diff --git a/tests/app/lib/proxy.test.ts b/tests/app/lib/proxy.test.ts
@@ -285,21 +285,20 @@ describe("sealApiToken", () => {
     expect(result).toBe("enc:abc123");
   });
 
-  it("throws { status, message } on 403 response", async () => {
+  it("throws SealError on 403 response", async () => {
     setupMockedTurnstile("turnstile-tok");
 
     const mockFetch = vi.fn().mockResolvedValue(
       new Response(JSON.stringify({ error: "turnstile_failed" }), { status: 403 }),
     );
     vi.stubGlobal("fetch", mockFetch);
 
-    await expect(mod.sealApiToken("my-token", "jira-api-token")).rejects.toMatchObject({
-      status: 403,
-      message: "turnstile_failed",
-    });
+    const err = await mod.sealApiToken("my-token", "jira-api-token").catch((e: unknown) => e);
+    expect(err).toBeInstanceOf(mod.SealError);
+    expect(err).toMatchObject({ status: 403, message: "turnstile_failed" });
   });
 
-  it("throws { status, message } on 429 response", async () => {
+  it("throws SealError on 429 response", async () => {
     setupMockedTurnstile("turnstile-tok");
 
     const mockFetch = vi.fn().mockResolvedValue(
@@ -313,7 +312,7 @@ describe("sealApiToken", () => {
     });
   });
 
-  it("throws { status, message } on 500 response", async () => {
+  it("throws SealError on 500 response", async () => {
     setupMockedTurnstile("turnstile-tok");
 
     const mockFetch = vi.fn().mockResolvedValue(
diff --git a/tests/worker/crypto.test.ts b/tests/worker/crypto.test.ts
@@ -8,7 +8,6 @@ import {
   unsealTokenWithRotation,
   signSession,
   verifySession,
-  verifySessionWithRotation,
 } from "../../src/worker/crypto";
 
 // Stable base64url-encoded 32-byte test keys (not real secrets)
@@ -250,49 +249,3 @@ describe("signSession / verifySession", () => {
     expect(await verifySession("payload", "!!!invalid!!!", key)).toBe(false);
   });
 });
-
-describe("verifySessionWithRotation", () => {
-  it("verifies with current key", async () => {
-    const keyA = await deriveKey(KEY_A, "github-tracker-session-v1", "session-hmac", "sign");
-    const sig = await signSession("data", keyA);
-    const result = await verifySessionWithRotation(
-      "data",
-      sig,
-      KEY_A,
-      undefined,
-      "github-tracker-session-v1",
-      "session-hmac"
-    );
-    expect(result).toBe(true);
-  });
-
-  it("falls back to prevKey when current key fails", async () => {
-    const keyA = await deriveKey(KEY_A, "github-tracker-session-v1", "session-hmac", "sign");
-    const sig = await signSession("data", keyA);
-    // Signed with A, try currentKey=B, prevKey=A
-    const result = await verifySessionWithRotation(
-      "data",
-      sig,
-      KEY_B,
-      KEY_A,
-      "github-tracker-session-v1",
-      "session-hmac"
-    );
-    expect(result).toBe(true);
-  });
-
-  it("returns false when both keys fail", async () => {
-    const keyA = await deriveKey(KEY_A, "github-tracker-session-v1", "session-hmac", "sign");
-    const sig = await signSession("data", keyA);
-    const KEY_C = btoa("CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-    const result = await verifySessionWithRotation(
-      "data",
-      sig,
-      KEY_B,
-      KEY_C,
-      "github-tracker-session-v1",
-      "session-hmac"
-    );
-    expect(result).toBe(false);
-  });
-});
diff --git a/tests/worker/session.test.ts b/tests/worker/session.test.ts
@@ -2,7 +2,6 @@ import { describe, it, expect, vi } from "vitest";
 import {
   issueSession,
   parseSession,
-  clearSession,
   ensureSession,
   type SessionEnv,
 } from "../../src/worker/session";
@@ -215,25 +214,6 @@ describe("parseSession", () => {
   });
 });
 
-describe("clearSession", () => {
-  it("returns Max-Age=0", () => {
-    expect(clearSession()).toContain("Max-Age=0");
-  });
-
-  it("returns __Host-session= with empty value", () => {
-    const result = clearSession();
-    expect(result).toMatch(/^__Host-session=;/);
-  });
-
-  it("includes required security attributes", () => {
-    const result = clearSession();
-    expect(result).toContain("Path=/");
-    expect(result).toContain("Secure");
-    expect(result).toContain("HttpOnly");
-    expect(result).toContain("SameSite=Strict");
-  });
-});
-
 describe("ensureSession", () => {
   function makeRequest(cookieHeader?: string): Request {
     const headers: Record<string, string> = {};

Original file line number	Diff line number	Diff line change
`@@ -130,13 +130,6 @@ export async function parseSession(`
`130`	`130`	`}`
`131`	`131`	`}`
`132`	`132`
`133`		`-/**`
`134`		`- * Returns a Set-Cookie header value that clears the session cookie.`
`135`		`- */`
`136`		`-export function clearSession(): string {`
`137`		- return `${SESSION_COOKIE_NAME}=; Path=/; Secure; HttpOnly; SameSite=Strict; Max-Age=0`;
`138`		`-}`
`139`		`-`
`140`	`133`	`/**`
`141`	`134`	`* Returns the existing session ID if valid, or issues a new session.`
`142`	`135`	`* Never throws — all error paths return a value.`
`@@ -161,5 +154,3 @@ export async function ensureSession(`
`161`	`154`	`return { sessionId: crypto.randomUUID() };`
`162`	`155`	`}`
`163`	`156`	`}`
`164`		`-`
`165`		`-export { SESSION_HMAC_SALT, SESSION_HMAC_INFO };`