jwt
jwt copied to clipboard
golang-jwt
Permit only certain errors on parsing
My scenario is, that for example I want skip the validation under certain circumstances. To achieve that, I invoke jwt.ParseWithClaims(...) and want to check afterward whether it was the signature check which failed. I understand that I could achieve most of that with errors.Is(myParsingErr, jwt.ErrTokenSignatureInvalid)
My gripe with that solution is that I'ld implicitly accept other errors wrapped in myParsingErr - as long as my one permitted error is amongst those -, and I'm not sure whether this could be exploited, e.g. when ErrTokenInvalidClaims "hides" an invalid signature.
My workaround for now is:
var allJWTErrs = [...]error{
jwt.ErrInvalidKey, jwt.ErrInvalidKeyType, jwt.ErrHashUnavailable, jwt.ErrTokenMalformed, jwt.ErrTokenUnverifiable,
jwt.ErrTokenSignatureInvalid, jwt.ErrTokenRequiredClaimMissing, jwt.ErrTokenInvalidAudience, jwt.ErrTokenExpired,
jwt.ErrTokenUsedBeforeIssued, jwt.ErrTokenInvalidIssuer, jwt.ErrTokenInvalidSubject, jwt.ErrTokenNotValidYet,
jwt.ErrTokenInvalidId, jwt.ErrTokenInvalidClaims, jwt.ErrInvalidType,
}
// isAtMostOneOfTheseJWTErrs check whether the given error is no jwt error, apart from the exceptions
func isAtMostOneOfTheseJWTErrs(toCheck error, jwtErrExceptions ...error) bool {
for _, knownErr := range allJWTErrs {
if !slices.ContainsFunc(jwtErrExceptions, func(exception error) bool {
return errors.Is(toCheck, exception)
}) {
if errors.Is(toCheck, knownErr) {
return false
}
}
}
return true
}
But this is logic must be checked/maintained whenever a new minor version of the jwt library gets released, to ensure all possible errors are covered. Therefore, it would be nice if all possible errors - so basically the array I'm creating myself atm - would be exposed by the library. Or if there was a check for that provided by the jwt library itself.
