Package list golang-github-go-kit-kit / ae1f1a4
improved error handling on jwt.NewParser middleware and additional tests (expiration/notbefore) Bas van Beek 4 years ago
2 changed file(s) with 48 addition(s) and 7 deletion(s). Raw diff Collapse all Expand all
9393 return keyFunc(token)
9494 })
9595 if err != nil {
96 if e, ok := err.(*jwt.ValidationError); ok && e.Inner != nil {
97 if e.Errors&jwt.ValidationErrorMalformed != 0 {
96 if e, ok := err.(*jwt.ValidationError); ok {
97 switch {
98 case e.Errors&jwt.ValidationErrorMalformed != 0:
9899 // Token is malformed
99100 return nil, ErrTokenMalformed
100 } else if e.Errors&jwt.ValidationErrorExpired != 0 {
101 case e.Errors&jwt.ValidationErrorExpired != 0:
101102 // Token is expired
102103 return nil, ErrTokenExpired
103 } else if e.Errors&jwt.ValidationErrorNotValidYet != 0 {
104 case e.Errors&jwt.ValidationErrorNotValidYet != 0:
104105 // Token is not active yet
105106 return nil, ErrTokenNotActive
107 case e.Inner != nil:
108 // report e.Inner
109 return nil, e.Inner
106110 }
107
108 return nil, e.Inner
111 // We have a ValidationError but have no specific Go kit error for it.
112 // Fall through to return original error.
109113 }
110
111114 return nil, err
112115 }
113116
22 import (
33 "context"
44 "testing"
5 "time"
56
67 "crypto/subtle"
78
3233 standardSignedKey = "eyJhbGciOiJIUzI1NiIsImtpZCI6ImtpZCIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJnby1raXQifQ.L5ypIJjCOOv3jJ8G5SelaHvR04UJuxmcBN5QW3m_aoY"
3334 customSignedKey = "eyJhbGciOiJIUzI1NiIsImtpZCI6ImtpZCIsInR5cCI6IkpXVCJ9.eyJteV9wcm9wZXJ0eSI6InNvbWUgdmFsdWUiLCJhdWQiOiJnby1raXQifQ.s8F-IDrV4WPJUsqr7qfDi-3GRlcKR0SRnkTeUT_U-i0"
3435 invalidKey = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.e30.vKVCKto-Wn6rgz3vBdaZaCBGfCBDTXOENSo_X2Gq7qA"
36 malformedKey = "malformed.jwt.token"
3537 )
3638
3739 func signingValidator(t *testing.T, signer endpoint.Endpoint, expectedKey string) {
129131 t.Fatalf("JWT Claims.user did not match: expecting %s got %s", mapClaims["user"], cl["user"])
130132 }
131133
134 // Test for malformed token error response
135 parser = NewParser(keys, method, &jwt.StandardClaims{})(e)
136 ctx = context.WithValue(context.Background(), JWTTokenContextKey, malformedKey)
137 ctx1, err = parser(ctx, struct{}{})
138 if want, have := ErrTokenMalformed, err; want != have {
139 t.Fatalf("Expected %+v, got %+v", want, have)
140 }
141
142 // Test for expired token error response
143 parser = NewParser(keys, method, &jwt.StandardClaims{})(e)
144 expired := jwt.NewWithClaims(method, jwt.StandardClaims{ExpiresAt: time.Now().Unix() - 100})
145 token, err := expired.SignedString(key)
146 if err != nil {
147 t.Fatalf("Unable to Sign Token: %+v", err)
148 }
149 ctx = context.WithValue(context.Background(), JWTTokenContextKey, token)
150 ctx1, err = parser(ctx, struct{}{})
151 if want, have := ErrTokenExpired, err; want != have {
152 t.Fatalf("Expected %+v, got %+v", want, have)
153 }
154
155 // Test for not activated token error response
156 parser = NewParser(keys, method, &jwt.StandardClaims{})(e)
157 notactive := jwt.NewWithClaims(method, jwt.StandardClaims{NotBefore: time.Now().Unix() + 100})
158 token, err = notactive.SignedString(key)
159 if err != nil {
160 t.Fatalf("Unable to Sign Token: %+v", err)
161 }
162 ctx = context.WithValue(context.Background(), JWTTokenContextKey, token)
163 ctx1, err = parser(ctx, struct{}{})
164 if want, have := ErrTokenNotActive, err; want != have {
165 t.Fatalf("Expected %+v, got %+v", want, have)
166 }
167
168 // test valid standard claims token
132169 parser = NewParser(keys, method, &jwt.StandardClaims{})(e)
133170 ctx = context.WithValue(context.Background(), JWTTokenContextKey, standardSignedKey)
134171 ctx1, err = parser(ctx, struct{}{})
143180 t.Fatalf("JWT jwt.StandardClaims.Audience did not match: expecting %s got %s", standardClaims.Audience, stdCl.Audience)
144181 }
145182
183 // test valid customized claims token
146184 parser = NewParser(keys, method, &customClaims{})(e)
147185 ctx = context.WithValue(context.Background(), JWTTokenContextKey, customSignedKey)
148186 ctx1, err = parser(ctx, struct{}{})