Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permit only certain errors on parsing #395

Open
JonasDoe opened this issue Jun 27, 2024 · 2 comments
Open

Permit only certain errors on parsing #395

JonasDoe opened this issue Jun 27, 2024 · 2 comments

Comments

@JonasDoe
Copy link

JonasDoe commented Jun 27, 2024
edited
Loading

My scenario is, that for example I want skip the validation under certain circumstances. To achieve that, I invoke jwt.ParseWithClaims(...) and want to check afterward whether it was the signature check which failed. I understand that I could achieve most of that with errors.Is(myParsingErr, jwt.ErrTokenSignatureInvalid)

My gripe with that solution is that I'ld implicitly accept other errors wrapped in myParsingErr - as long as my one permitted error is amongst those -, and I'm not sure whether this could be exploited, e.g. when ErrTokenInvalidClaims "hides" an invalid signature.

My workaround for now is:

var allJWTErrs = [...]error{
	jwt.ErrInvalidKey, jwt.ErrInvalidKeyType, jwt.ErrHashUnavailable, jwt.ErrTokenMalformed, jwt.ErrTokenUnverifiable,
	jwt.ErrTokenSignatureInvalid, jwt.ErrTokenRequiredClaimMissing, jwt.ErrTokenInvalidAudience, jwt.ErrTokenExpired,
	jwt.ErrTokenUsedBeforeIssued, jwt.ErrTokenInvalidIssuer, jwt.ErrTokenInvalidSubject, jwt.ErrTokenNotValidYet,
	jwt.ErrTokenInvalidId, jwt.ErrTokenInvalidClaims, jwt.ErrInvalidType,
}

// isAtMostOneOfTheseJWTErrs check whether the given error is no jwt error, apart from the exceptions
func isAtMostOneOfTheseJWTErrs(toCheck error, jwtErrExceptions ...error) bool {
	for _, knownErr := range allJWTErrs {
		if !slices.ContainsFunc(jwtErrExceptions, func(exception error) bool {
			return errors.Is(toCheck, exception)
		}) {
			if errors.Is(toCheck, knownErr) {
				return false
			}
		}
	}
	return true
}

But this is logic must be checked/maintained whenever a new minor version of the jwt library gets released, to ensure all possible errors are covered. Therefore, it would be nice if all possible errors - so basically the array I'm creating myself atm - would be exposed by the library. Or if there was a check for that provided by the jwt library itself.
@mfridman
Copy link
Member

mfridman commented Sep 6, 2024

I wonder if a type ParseError struct{} would help here.

Although wouldn't you still need to errors.As and then ignore certain classes of errors?

I'm not sure we want to expose a list of errors, that's not something I've observed in the wild. But the standard solution is to expose an error type.

@JonasDoe
Copy link
Author

JonasDoe commented Sep 6, 2024
edited
Loading

Hm, a ParseError struct might be nice b/c it could come with some method receivers which cover that logic:

func (err *ParseError) ToOtherErrThan(jwtErrExeptions ...errror)(remaining error) //result allows run-out-the-mill if err != nil check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mfridman @JonasDoe