Skip to content

jwt: Return better error messages on malformed tokens #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

jwt: Return better error messages on malformed tokens #84

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions parser.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,18 +107,18 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
if strings.HasPrefix(strings.ToLower(tokenString), "bearer ") {
return token, parts, NewValidationError("tokenstring should not contain 'bearer '", ValidationErrorMalformed)
}
return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
return token, parts, &ValidationError{Inner: fmt.Errorf("malformed token header: %w", err), Errors: ValidationErrorMalformed}
}
if err = json.Unmarshal(headerBytes, &token.Header); err != nil {
return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
return token, parts, &ValidationError{Inner: fmt.Errorf("malformed token header: %w", err), Errors: ValidationErrorMalformed}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been going back and forth on this one. The intention is good, but is it going to break existing users?

There is a lot to be desired in terms of improving errors. But is this something we should tackle in the current /v4 or punt to a breaking release /v5.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This discussion comes back to the point that we should discuss a common roadmap. I wonder, whether doing this in GitHub discussions is enough or if it makes sense to have a short zoom / Teams call on this to discuss a some roadmap ideas among the maintainers. Probably tricky to find a good time slot for this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can opt to use semver properly in v4 and treat minor but non-revisional changes as these via releases (unless we strictly want to make the v4 release family v3 compatible). Those are the 2 options I see right now

@oxisto I think we can do fine with gh discussions for a middle ground between a chat and a an issue, for something more fluent we could use discord or something alike. I agree that coordinating a time slot might be difficult for a live conversation as we have tight schedules and different timezones but a chat server comes second place in communication efficiency so we can still gain something

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, maybe a discord server would be a nice idea.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can opt to use semver properly in v4 and treat minor but non-revisional changes as these via releases

Ye that's fair, since we are using modules we can bump minor versions and just make sure to jot that down in the release change log.

I'm not sure I have the bandwidth for in-person chats. Happy to continue contributing asynchronously, also there is nothing pressing afacis.

FWIW there is already a Gophers slack, and can create a "jwt" channel (maybe not) or just ping whoever is on there.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The golang slack would seem like a obvious choice - many thousands of go users there and I believe they allow project channels.

}

// parse Claims
var claimBytes []byte
token.Claims = claims

if claimBytes, err = DecodeSegment(parts[1]); err != nil {
return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
return token, parts, &ValidationError{Inner: fmt.Errorf("malformed token claims: %w", err), Errors: ValidationErrorMalformed}
}
dec := json.NewDecoder(bytes.NewBuffer(claimBytes))
if p.UseJSONNumber {
Expand All @@ -132,7 +132,7 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
}
// Handle decode error
if err != nil {
return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
return token, parts, &ValidationError{Inner: fmt.Errorf("malformed token payload: %w", err), Errors: ValidationErrorMalformed}
}

// Lookup signature method
Expand Down
15 changes: 15 additions & 0 deletions parser_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,21 @@ func TestParser_ParseUnverified(t *testing.T) {
}
}

func Test_ParseWithInvalidJSONPayload(t *testing.T) {
tokenString := "eyJhbGciOiJSUzI1NiIsInppcCI6IkRFRiJ9.eNqqVkqtKFCyMjQ1s7Q0sbA0MtFRyk3NTUot8kxRslIKLbZQggn4JeamAoUcfRz99HxcXRWeze172tr4bFq7Ui0AAAD__w.jBXD4LT4aq4oXTgDoPkiV6n4QdSZPZI1Z4J8MWQC42aHK0oXwcovEU06dVbtB81TF-2byuu0-qi8J0GUttODT67k6gCl6DV_iuCOV7gczwTcvKslotUvXzoJ2wa0QuujnjxLEE50r0p6k0tsv_9OIFSUZzDksJFYNPlJH2eFG55DROx4TsOz98az37SujZi9GGbTc9SLgzFHPrHMrovRZ5qLC_w4JrdtsLzBBI11OQJgRYwV8fQf4O8IsMkHtetjkN7dKgUkJtRarNWOk76rpTPppLypiLU4_J0-wrElLMh1TzUVZW6Fz2cDHDDBACJgMmKQ2pOFEDK_vYZN74dLCF5GiTZV6DbXhNxO7lqT7JUN4a3p2z96G7WNRjblf2qZeuYdQvkIsiK-rCbSIE836XeY5gaBgkOzuEvzl_tMrpRmb5Oox1ibOfVT2KBh9Lvqsb1XbQjCio2CLE2ViCLqoe0AaRqlUyrk3n8BIG-r0IW4dcw96CEryEMIjsjVp9mtPXamJzf391kt8Rf3iRBqwv3zP7Plg1ResXbmsFUgOflAUPcYmfLug4W3W52ntcUlTHAKXrNfaJL9QQiYAaDukG-ZHDytsOWTuuXw7lVxjt-XYi1VbRAIjh1aIYSELEmEpE4Ny74htQtywYXMQNfJpB0nNn8IiWakgcYYMJ0TmKM"

_, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
return nil, nil
})

if err == nil {
t.Fatal("expected error")
}
if err.Error() != "malformed token payload: invalid character 'x' looking for beginning of value" {
t.Errorf("unexpected error \"%s\"", err.Error())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit. can use %q to avoid escaping double quotes.

}
}

func BenchmarkParseUnverified(b *testing.B) {
privateKey := test.LoadRSAPrivateKeyFromDisk("test/sample_key")

Expand Down