Pode icon indicating copy to clipboard operation
Pode copied to clipboard

Published 20 hours ago verified publisher icon Badgerati

JWT expired Bearer token return 400 - RFC6750 demand 401

Open mdaneri opened this issue 1 year ago • 1 comments

Based on the RFC https://www.rfc-editor.org/rfc/rfc6750 an expired bearer token should return 401 not 400

private/Authentication.ps1 line 429

 if ($options.AsJWT) {
            try {
                $payload = ConvertFrom-PodeJwt -Token $token -Secret $options.Secret
                Test-PodeJwt -Payload $payload
            }
            catch {
                if ($_.Exception.Message -ilike '*jwt*') {
                    return @{
                        Message = $_.Exception.Message
                        Code = 400
                    }
                }

                throw
            } 
            $result = @($payload)
        }

should be changed to

     if ($options.AsJWT) {
            try {
                $payload = ConvertFrom-PodeJwt -Token $token -Secret $options.Secret
                Test-PodeJwt -Payload $payload
            }
            catch {
                if ($_.Exception.Message -ilike '*jwt*') {
                    return @{
                        Message = $_.Exception.Message
                        #https://www.rfc-editor.org/rfc/rfc6750 Bearer token should return 401
                        Challenge = (New-PodeAuthBearerChallenge -Scopes $options.Scopes -ErrorType invalid_token) 
                        Code = 401
                    }
                } 
                throw
            } 
            $result = @($payload)
        }

mdaneri avatar Sep 22 '23 00:09 mdaneri

It's fixed on my fork

mdaneri avatar Sep 22 '23 00:09 mdaneri