Fix error handling for unauthorized responses (#479)

Author: wKovacs64

.bundlewatch.config.json

@@ -3,7 +3,7 @@
     {
       "//": "Pre-bundled for Browser (UMD)",
       "path": "dist/browser/hibp.umd.js",
-      "maxSize": "9.2 kB"
+      "maxSize": "9.3 kB"
     },
     {
       "//": "Pre-bundled for Browser (ESM)",

.changeset/shy-nails-build.md

@@ -0,0 +1,5 @@
+---
+'hibp': patch
+---
+
+Fix error handling for 401 Unauthorized API responses. The [haveibeenpwned.com API (v3)](https://haveibeenpwned.com/API/v3#Authorisation) changed its response type from a JSON body to text.

src/api/haveibeenpwned/__tests__/fetch-from-api.test.ts

@@ -79,14 +79,12 @@ describe('internal (haveibeenpwned): fetchFromApi', () => {
     it('throws an "Unauthorized" error', () => {
       server.use(
         http.get('*', () => {
-          return new Response(JSON.stringify(UNAUTHORIZED.body), {
-            status: UNAUTHORIZED.status,
-          });
+          return new Response(UNAUTHORIZED.text, { status: UNAUTHORIZED.status });
         }),
       );
 
       return expect(fetchFromApi('/service/unauthorized')).rejects.toMatchInlineSnapshot(
-        `[Error: Access denied due to missing hibp-api-key.]`,
+        `[Error: Your request to the API couldn't be authorised. Check you have the right value in the "hibp-api-key" header, refer to the documentation for more: https://haveibeenpwned.com/API/v3#Authorisation]`,
       );
     });
   });

src/api/haveibeenpwned/fetch-from-api.ts

@@ -104,8 +104,8 @@ export async function fetchFromApi(
       throw new Error(BAD_REQUEST.statusText);
     }
     case UNAUTHORIZED.status: {
-      const body = (await response.json()) as unknown as ErrorData;
-      throw new Error(body.message);
+      const message = await response.text();
+      throw new Error(message);
     }
     case FORBIDDEN.status: {
       const rayId = response.headers.get('cf-ray');

src/api/haveibeenpwned/responses.ts

@@ -18,6 +18,7 @@ export interface HaveIBeenPwnedApiResponse {
   status: number;
   statusText?: string;
   body?: ResponseBody;
+  text?: string;
 }
 
 const emptyHeaders = new Map<string, string>();
@@ -30,19 +31,15 @@ export const BAD_REQUEST: HaveIBeenPwnedApiResponse = {
 };
 
 /**
- * This response has unique behavior. For some reason, the API includes an
- * object in the response body for this one, containing a human-readable
- * message. Manually populating the message here purely for use in tests.
+ * The API includes a human-readable error message as text in the body of this
+ * response type. Manually populating the message here purely for use in tests.
  *
  * @internal
  */
 export const UNAUTHORIZED: HaveIBeenPwnedApiResponse = {
   headers: emptyHeaders,
   status: 401,
-  body: {
-    statusCode: 401,
-    message: 'Access denied due to missing hibp-api-key.',
-  },
+  text: `Your request to the API couldn't be authorised. Check you have the right value in the "hibp-api-key" header, refer to the documentation for more: https://haveibeenpwned.com/API/v3#Authorisation`,
 };
 
 /** @internal */
@@ -65,9 +62,9 @@ export const NOT_FOUND: HaveIBeenPwnedApiResponse = {
 };
 
 /**
- * This response has unique behavior. For some reason, the API includes an
- * object in the response body for this one, containing a human-readable
- * message. Manually populating the message here purely for use in tests.
+ * The API includes a JSON object containing a human-readable message in the
+ * body of this response type. Manually populating the message here purely for
+ * use in tests.
  *
  * @internal
  */