Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expired token sends wrong http status code 500 #268

Closed
EvoPulseGaming opened this issue Oct 4, 2019 · 5 comments
Closed

Expired token sends wrong http status code 500 #268

EvoPulseGaming opened this issue Oct 4, 2019 · 5 comments
Labels

Comments

@EvoPulseGaming
Copy link

EvoPulseGaming commented Oct 4, 2019

When my application attempts to use the rest service with an expired token, the reply from fusio is http status 500(internal server error), when it should be 401 (unauthorized)

Edit, not that it should make a difference, but I do have development enabled instead of production

@EvoPulseGaming EvoPulseGaming changed the title Expired token sends wrong https status Expired token sends wrong http status code 500 Oct 4, 2019
@chriskapp
Copy link
Member

Hi, is there a specific router where this occurs, in general Fusio should return a 401 in case your endpoint requires authorization and you have not provided an Authorization header see:
https://github.com/apioo/fusio-impl/blob/master/src/Service/Security/TokenValidator.php#L116

@EvoPulseGaming
Copy link
Author

EvoPulseGaming commented Oct 12, 2019

The reply from the server for an expired token is 500:
https://evotracker.evo-pulse.com/isloggedin

{
"success": false,
"title": "Firebase\JWT\ExpiredException",
"message": "Expired token in /home/evopulse/public_html/evotracker/vendor/firebase/php-jwt/src/JWT.php on line 134",
"trace": "#0 /home/evopulse/public_html/evotracker/vendor/fusio/impl/src/Service/Security/TokenValidator.php(149): Firebase\JWT\JWT::decode('eyJ0eXAiOiJKV1Q...', '3312d99f0c3d91a...', Array)\n#1 /home/evopulse/public_html/evotracker/vendor/fusio/impl/src/Service/Security/TokenValidator.php(103): Fusio\Impl\Service\Security\TokenValidator->getToken('eyJ0eXAiOiJKV1Q...', 123, 'GET')\n#2 /home/evopulse/public_html/evotracker/vendor/fusio/impl/src/Filter/Authentication.php(62): Fusio\Impl\Service\Security\TokenValidator->assertAuthorization('GET', 'Bearer eyJ0eXAi...', Object(Fusio\Impl\Loader\Context))\n#3 /home/evopulse/public_html/evotracker/vendor/psx/http/src/Filter/FilterChain.php(110): Fusio\Impl\Filter\Authentication->handle(Object(PSX\Http\Request), Object(PSX\Http\Response), Object(PSX\Http\Filter\FilterChain))\n#4 /home/evopulse/public_html/evotracker/vendor/fusio/impl/src/Filter/AssertMethod.php(95): PSX\Http\Filter\FilterChain->handle(Object(PSX\Http\Request), Object(PSX\Http\Response))\n#5 /home/evopulse/public_html/evotracker/vendor/psx/http/src/Filter/FilterChain.php(110): Fusio\Impl\Filter\AssertMethod->handle(Object(PSX\Http\Request), Object(PSX\Http\Response), Object(PSX\Http\Filter\FilterChain))\n#6 /home/evopulse/public_html/evotracker/vendor/psx/http/src/Filter/UserAgentEnforcer.php(43): PSX\Http\Filter\FilterChain->handle(Object(PSX\Http\Request), Object(PSX\Http\Response))\n#7 /home/evopulse/public_html/evotracker/vendor/psx/http/src/Filter/FilterChain.php(110): PSX\Http\Filter\UserAgentEnforcer->handle(Object(PSX\Http\Request), Object(PSX\Http\Response), Object(PSX\Http\Filter\FilterChain))\n#8 /home/evopulse/public_html/evotracker/vendor/psx/framework/src/Loader/Loader.php(123): PSX\Http\Filter\FilterChain->handle(Object(PSX\Http\Request), Object(PSX\Http\Response))\n#9 /home/evopulse/public_html/evotracker/vendor/psx/framework/src/Loader/Loader.php(102): PSX\Framework\Loader\Loader->execute(Array, Object(PSX\Http\Request), Object(PSX\Http\Response))\n#10 /home/evopulse/public_html/evotracker/vendor/psx/framework/src/Dispatch/Dispatch.php(125): PSX\Framework\Loader\Loader->load(Object(PSX\Http\Request), Object(PSX\Http\Response), Object(Fusio\Impl\Loader\Context))\n#11 /home/evopulse/public_html/evotracker/vendor/psx/framework/src/Environment/WebServer/Engine.php(47): PSX\Framework\Dispatch\Dispatch->route(Object(PSX\Http\Request), Object(PSX\Http\Response))\n#12 /home/evopulse/public_html/evotracker/vendor/psx/framework/src/Environment/Environment.php(67): PSX\Framework\Environment\WebServer\Engine->serve(Object(PSX\Framework\Dispatch\Dispatch), Object(PSX\Framework\Config\Config))\n#13 /home/evopulse/public_html/evotracker/public/index.php(29): PSX\Framework\Environment\Environment->serve()\n#14 {main}",
"context": "130 }\n131 \n132 // Check if this token has expired.\n133 if (isset($payload->exp) && ($timestamp - static::$leeway) >= $payload->exp) {\n134 throw new ExpiredException('Expired token');\n</b>135 }\n136 \n137 return $payload;\n138 }\n"
}

@chriskapp
Copy link
Member

ok, I see this is a valid point, we should add a try catch around the JWT decode to return the fitting status code.

@chriskapp chriskapp added bug and removed question labels Oct 13, 2019
@chriskapp
Copy link
Member

I have just commited a fix for this issue s.: apioo/fusio-impl@a0be884
This fix is then included in the next release.

@EvoPulseGaming
Copy link
Author

Thank you, glad it was an easy one for once! Have a great day

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants