Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] expired JWT token returns 5xx instead of 401 #304

Open
1 task done
TomerHeber opened this issue Sep 17, 2024 · 1 comment
Open
1 task done

[BUG] expired JWT token returns 5xx instead of 401 #304

TomerHeber opened this issue Sep 17, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@TomerHeber
Copy link

TomerHeber commented Sep 17, 2024
edited
Loading

Is this a possible security vulnerability?

  • This is NOT a possible security vulnerability

Describe the bug

When sending an http request with an expired token, 5xx is returned instead of 401.

To Reproduce

  1. Enable JWTBroker.
  2. Generate a token with credentials.
  3. Wait 60 minutes.
  4. Send a request with the expired token. Returns 5xx instead of 401.
oauth2:
  # type: test
  type: default
  tokenBroker:
    type: symmetric-key
    secret: polaris

authenticator:
  # class: org.apache.polaris.service.auth.TestInlineBearerTokenPolarisAuthenticator
  class: org.apache.polaris.service.auth.DefaultPolarisAuthenticator
  tokenBroker:
    type: symmetric-key
    secret: polaris

Actual Behavior

5xx http response.

Expected Behavior

401 http reposne.

Additional context

The issue is with this code snippet:
https://github.com/apache/polaris/blob/main/polaris-service/src/main/java/org/apache/polaris/service/auth/JWTBroker.java#L59

 JWTVerifier verifier = JWT.require(getAlgorithm()).build();
  DecodedJWT decodedJWT = verifier.verify(token);
  Boolean isActive = decodedJWT.getClaim(CLAIM_KEY_ACTIVE).asBoolean();
  if (isActive == null || !isActive) {
      throw new NotAuthorizedException("Token is not active");
    }
    if (decodedJWT.getExpiresAtAsInstant().isBefore(Instant.now())) {
      throw new NotAuthorizedException("Token has expired");
    }

verifier.verify throws JWTVerificationException if the token verification fails.
https://github.com/auth0/java-jwt/blob/fb6d00ad9773c6e7624c518feb2d06ed191287fa/lib/src/main/java/com/auth0/jwt/JWTVerifier.java#L346

This is an uncaught exception.
The exception NotAuthorizedException should have been returned instead.

System information

N/A
@TomerHeber TomerHeber added the bug Something isn't working label Sep 17, 2024
@TomerHeber TomerHeber changed the title [BUG] expired JWT token return 5xx instead of 401 [BUG] expired JWT token returns 5xx instead of 401 Sep 17, 2024
@TomerHeber
Copy link
Author

Consider using the decode function instead:
https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/JWT.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TomerHeber