Code refactoring for auth/index.js

[Mehulantony]

Performed code refactoring for the auth/index.js file and introduced the following changes for cleanup and maintainability:

1. Extracted JWT payload parsing into one helper function parseAuthHeaderPayload(req)
2. Fixed typo issues in _extractUser
3. Used consistent quote style and spacing
4. Extracted repeated Auth0 fetch logic into one helper function requestTokenFromAuth0

[allenbakki]

1. Missing or invalid header handling
   Currently there is no guard for a missing or malformed authorization header. If the header is undefined, not a string containing a space, or not a valid 3-part JWT, this can throw a TypeError during parsing.

Previously, the inline try/catch in the call sites implicitly protected against this. Since parsing is now centralized in this helper, it would be safer for the helper itself to defensively validate the header before attempting to decode it.

2. Base64 variant handling
   JWTs use URL-safe Base64 (- and _) rather than standard Base64. While Buffer.from(payload, 'base64') in Node often works, it can sometimes be brittle due to padding or character differences. It may be safer to normalize the Base64 string or explicitly support Base64URL decoding.

3. validation clarity
   This function currently only decodes the token and does not validate the signature or expiration. That is fine if it is always used after auth() has verified the token, but _tokenError is explicitly handling invalid or expired tokens.

Suggested change

	const parseAuthHeaderPayload = (req) => {
	const authHeader = req.header('authorization')
	if (!authHeader || typeof authHeader !== 'string') {
	throw new Error('Missing or invalid authorization header')
	}
	const [, token] = authHeader.split(' ')
	if (!token) {
	throw new Error('Malformed authorization header')
	}
	const parts = token.split('.')
	if (parts.length < 2) {
	throw new Error('Malformed JWT token')
	}
	const base64 = parts[1].replace(/-/g, '+').replace(/_/g, '/')
	const payloadJson = Buffer.from(base64, 'base64').toString()
	return JSON.parse(payloadJson)
	}

[allenbakki]

If parseAuthHeaderPayload throws for a missing/invalid header, you’ll set 401 with a RERUM-specific message. That’s likely acceptable, but be aware you’re masking actual error details.

Consider using a known custom error or e.code to disambiguate the cause if you need different responses for different failures.

[allenbakki]

Using async + await while also chaining .then() and .catch() is redundant. Prefer one style.

[allenbakki]

    try {
        const resp = await fetch('https://cubap.auth0.com/oauth/token', {
            method: 'POST',
            headers: { 'Content-Type': 'application/json' },
            body: JSON.stringify(form)
        })

        const json = await resp.json()
        return json
    }
    catch (err) {
        console.error(err)
        return {
            error: true,
            error_description: err && err.message ? err.message : String(err)
        }
    }
}

[allenbakki]

Status code semantics:
For Auth0 errors, returning 500 may not be ideal. many of these are client or auth errors (e.g. invalid grant) and could be 400/401. This is pre-existing behavior though, if you want to preserve behavior, leave as is.

[allenbakki]

Error body:
On catch, you res.status(500).send(e) which might leak internal error structure or stack. Consider sending a minimal message instead and logging full details.