From 79eefb1ccf506e38b64f07c0172aab6feb107384 Mon Sep 17 00:00:00 2001 From: Sam Date: Sat, 14 May 2022 21:55:44 +0200 Subject: [PATCH] fix: return error if Authorization header is supplied but is invalid --- backend/server/auth.go | 9 ++++++++- backend/server/errors.go | 3 +++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/backend/server/auth.go b/backend/server/auth.go index 08c4861..5cb4b3e 100644 --- a/backend/server/auth.go +++ b/backend/server/auth.go @@ -2,6 +2,7 @@ package server import ( "context" + "fmt" "net/http" "codeberg.org/u1f320/pronouns.cc/backend/server/auth" @@ -19,7 +20,13 @@ func (s *Server) maybeAuth(next http.Handler) http.Handler { claims, err := s.Auth.Claims(token) if err != nil { - // if we get here, a token was supplied but it's invalid--return an error + fmt.Printf("%q: %q\n", "Authorization", token) + render.Status(r, errCodeStatuses[ErrForbidden]) + render.JSON(w, r, APIError{ + Code: ErrForbidden, + Message: errCodeMessages[ErrForbidden], + }) + return } ctx := context.WithValue(r.Context(), ctxKeyClaims, claims) diff --git a/backend/server/errors.go b/backend/server/errors.go index 68108f1..5a37ff1 100644 --- a/backend/server/errors.go +++ b/backend/server/errors.go @@ -69,6 +69,7 @@ const ( // Login/authorize error codes ErrInvalidState = 1001 ErrInvalidOAuthCode = 1002 + ErrInvalidToken = 1003 // a token was supplied, but it is invalid // User-related error codes ErrUserNotFound = 2001 @@ -81,6 +82,7 @@ var errCodeMessages = map[int]string{ ErrInvalidState: "Invalid OAuth state", ErrInvalidOAuthCode: "Invalid OAuth code", + ErrInvalidToken: "Supplied token was invalid", ErrUserNotFound: "User not found", } @@ -92,6 +94,7 @@ var errCodeStatuses = map[int]int{ ErrInvalidState: http.StatusBadRequest, ErrInvalidOAuthCode: http.StatusForbidden, + ErrInvalidToken: http.StatusUnauthorized, ErrUserNotFound: http.StatusNotFound, }