Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT expired Bearer token return 400 - RFC6750 demand 401 #1138

Closed
mdaneri opened this issue Sep 22, 2023 · 1 comment
Closed

JWT expired Bearer token return 400 - RFC6750 demand 401 #1138

mdaneri opened this issue Sep 22, 2023 · 1 comment
Labels
bug 🐛
Milestone
2.10.0

Comments

@mdaneri
Copy link
Contributor

mdaneri commented Sep 22, 2023

Based on the RFC https://www.rfc-editor.org/rfc/rfc6750 an expired bearer token should return 401 not 400

private/Authentication.ps1
line 429

 if ($options.AsJWT) {
            try {
                $payload = ConvertFrom-PodeJwt -Token $token -Secret $options.Secret
                Test-PodeJwt -Payload $payload
            }
            catch {
                if ($_.Exception.Message -ilike '*jwt*') {
                    return @{
                        Message = $_.Exception.Message
                        Code = 400
                    }
                }

                throw
            } 
            $result = @($payload)
        }

should be changed to

     if ($options.AsJWT) {
            try {
                $payload = ConvertFrom-PodeJwt -Token $token -Secret $options.Secret
                Test-PodeJwt -Payload $payload
            }
            catch {
                if ($_.Exception.Message -ilike '*jwt*') {
                    return @{
                        Message = $_.Exception.Message
                        #https://www.rfc-editor.org/rfc/rfc6750 Bearer token should return 401
                        Challenge = (New-PodeAuthBearerChallenge -Scopes $options.Scopes -ErrorType invalid_token) 
                        Code = 401
                    }
                } 
                throw
            } 
            $result = @($payload)
        }
@mdaneri
Copy link
Contributor Author

mdaneri commented Sep 22, 2023

It's fixed on my fork

@mdaneri mdaneri mentioned this issue Dec 29, 2023
Merged
@Badgerati Badgerati added this to the 2.10.0 milestone Apr 13, 2024
@github-project-automation github-project-automation bot moved this from Backlog to Done in 🚀 Pode Roadmap Apr 14, 2024
@Badgerati Badgerati mentioned this issue Apr 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛
Projects
🚀 Pode Roadmap
Status: Done
Milestone
2.10.0
Development

No branches or pull requests
2 participants
@Badgerati @mdaneri