mirrors/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel synced 2024-11-22 00:39:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: return 401 instead of 403 on expired tokens (#8476)

Browse Source 
# Which Problems Are Solved

The access token verifier returned a permission denied (HTTP 403 / GRPC
7) instead of a unauthenticated (HTTP 401 / GRPC 16) error.

# How the Problems Are Solved

Return the correct error type.

# Additional Changes

None

# Additional Context

close #8392
This commit is contained in:
Livio Spring 2024-08-26 12:15:40 +02:00 committed by GitHub
parent 862d141171
commit cbbd44c303
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
internal/query/access_token.go
View File

@ -109,14 +109,14 @@ func (q *Queries) ActiveAccessTokenByToken(ctx context.Context, token string) (m
split := strings.Split(token, "-") split := strings.Split(token, "-")
if len(split) != 2 { if len(split) != 2 {
return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-LJK2W", "Errors.OIDCSession.Token.Invalid") return nil, zerrors.ThrowUnauthenticated(nil, "QUERY-LJK2W", "Errors.OIDCSession.Token.Invalid")
} }
model, err = q.accessTokenByOIDCSessionAndTokenID(ctx, split[0], split[1]) model, err = q.accessTokenByOIDCSessionAndTokenID(ctx, split[0], split[1])
if err != nil { if err != nil {
return nil, err return nil, err
} }
if !model.AccessTokenExpiration.After(time.Now()) { if !model.AccessTokenExpiration.After(time.Now()) {
return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-SAF3rf", "Errors.OIDCSession.Token.Expired") return nil, zerrors.ThrowUnauthenticated(nil, "QUERY-SAF3rf", "Errors.OIDCSession.Token.Expired")
} }
if err = q.checkSessionNotTerminatedAfter(ctx, model.SessionID, model.UserID, model.Position, model.UserAgent.GetFingerprintID()); err != nil { if err = q.checkSessionNotTerminatedAfter(ctx, model.SessionID, model.UserID, model.Position, model.UserAgent.GetFingerprintID()); err != nil {
return nil, err return nil, err
@ -130,10 +130,10 @@ func (q *Queries) accessTokenByOIDCSessionAndTokenID(ctx context.Context, oidcSe
model = newOIDCSessionAccessTokenReadModel(oidcSessionID) model = newOIDCSessionAccessTokenReadModel(oidcSessionID)
if err = q.eventstore.FilterToQueryReducer(ctx, model); err != nil { if err = q.eventstore.FilterToQueryReducer(ctx, model); err != nil {
return nil, zerrors.ThrowPermissionDenied(err, "QUERY-ASfe2", "Errors.OIDCSession.Token.Invalid") return nil, zerrors.ThrowUnauthenticated(err, "QUERY-ASfe2", "Errors.OIDCSession.Token.Invalid")
} }
if model.AccessTokenID != tokenID { if model.AccessTokenID != tokenID {
return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-M2u9w", "Errors.OIDCSession.Token.Invalid") return nil, zerrors.ThrowUnauthenticated(nil, "QUERY-M2u9w", "Errors.OIDCSession.Token.Invalid")
} }
return model, nil return model, nil
} }
@ -152,11 +152,11 @@ func (q *Queries) checkSessionNotTerminatedAfter(ctx context.Context, sessionID,
} }
err = q.eventstore.FilterToQueryReducer(ctx, model) err = q.eventstore.FilterToQueryReducer(ctx, model)
if err != nil { if err != nil {
return zerrors.ThrowPermissionDenied(err, "QUERY-SJ642", "Errors.Internal") return zerrors.ThrowUnauthenticated(err, "QUERY-SJ642", "Errors.Internal")
} }
if model.terminated { if model.terminated {
return zerrors.ThrowPermissionDenied(nil, "QUERY-IJL3H", "Errors.OIDCSession.Token.Invalid") return zerrors.ThrowUnauthenticated(nil, "QUERY-IJL3H", "Errors.OIDCSession.Token.Invalid")
} }
return nil return nil
} }