You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
JWTVerifier verifier = JWT.require(getAlgorithm()).build();
DecodedJWT decodedJWT = verifier.verify(token);
Boolean isActive = decodedJWT.getClaim(CLAIM_KEY_ACTIVE).asBoolean();
if (isActive == null || !isActive) {
throw new NotAuthorizedException("Token is not active");
}
if (decodedJWT.getExpiresAtAsInstant().isBefore(Instant.now())) {
throw new NotAuthorizedException("Token has expired");
}
Is this a possible security vulnerability?
Describe the bug
When sending an http request with an expired token, 5xx is returned instead of 401.
To Reproduce
Actual Behavior
5xx http response.
Expected Behavior
401 http reposne.
Additional context
The issue is with this code snippet:
https://github.com/apache/polaris/blob/main/polaris-service/src/main/java/org/apache/polaris/service/auth/JWTBroker.java#L59
verifier.verify throws
JWTVerificationException
if the token verification fails.https://github.com/auth0/java-jwt/blob/fb6d00ad9773c6e7624c518feb2d06ed191287fa/lib/src/main/java/com/auth0/jwt/JWTVerifier.java#L346
This is an uncaught exception.
The exception
NotAuthorizedException
should have been returned instead.System information
N/A
The text was updated successfully, but these errors were encountered: