From 3289698d4ced06a6dc86690daab9777ede73c879 Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Mon, 26 Aug 2024 12:15:40 +0200 Subject: [PATCH] fix: return 401 instead of 403 on expired tokens (#8476) # Which Problems Are Solved The access token verifier returned a permission denied (HTTP 403 / GRPC 7) instead of a unauthenticated (HTTP 401 / GRPC 16) error. # How the Problems Are Solved Return the correct error type. # Additional Changes None # Additional Context close #8392 (cherry picked from commit cbbd44c303c6a06a5ef3d6c8fecd6fca63ec8705) --- internal/query/access_token.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/query/access_token.go b/internal/query/access_token.go index a777a6afc7..4180a6ad5e 100644 --- a/internal/query/access_token.go +++ b/internal/query/access_token.go @@ -109,14 +109,14 @@ func (q *Queries) ActiveAccessTokenByToken(ctx context.Context, token string) (m split := strings.Split(token, "-") if len(split) != 2 { - return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-LJK2W", "Errors.OIDCSession.Token.Invalid") + return nil, zerrors.ThrowUnauthenticated(nil, "QUERY-LJK2W", "Errors.OIDCSession.Token.Invalid") } model, err = q.accessTokenByOIDCSessionAndTokenID(ctx, split[0], split[1]) if err != nil { return nil, err } if !model.AccessTokenExpiration.After(time.Now()) { - return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-SAF3rf", "Errors.OIDCSession.Token.Expired") + return nil, zerrors.ThrowUnauthenticated(nil, "QUERY-SAF3rf", "Errors.OIDCSession.Token.Expired") } if err = q.checkSessionNotTerminatedAfter(ctx, model.SessionID, model.UserID, model.Position, model.UserAgent.GetFingerprintID()); err != nil { return nil, err @@ -130,10 +130,10 @@ func (q *Queries) accessTokenByOIDCSessionAndTokenID(ctx context.Context, oidcSe model = newOIDCSessionAccessTokenReadModel(oidcSessionID) if err = q.eventstore.FilterToQueryReducer(ctx, model); err != nil { - return nil, zerrors.ThrowPermissionDenied(err, "QUERY-ASfe2", "Errors.OIDCSession.Token.Invalid") + return nil, zerrors.ThrowUnauthenticated(err, "QUERY-ASfe2", "Errors.OIDCSession.Token.Invalid") } if model.AccessTokenID != tokenID { - return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-M2u9w", "Errors.OIDCSession.Token.Invalid") + return nil, zerrors.ThrowUnauthenticated(nil, "QUERY-M2u9w", "Errors.OIDCSession.Token.Invalid") } return model, nil } @@ -152,11 +152,11 @@ func (q *Queries) checkSessionNotTerminatedAfter(ctx context.Context, sessionID, } err = q.eventstore.FilterToQueryReducer(ctx, model) if err != nil { - return zerrors.ThrowPermissionDenied(err, "QUERY-SJ642", "Errors.Internal") + return zerrors.ThrowUnauthenticated(err, "QUERY-SJ642", "Errors.Internal") } if model.terminated { - return zerrors.ThrowPermissionDenied(nil, "QUERY-IJL3H", "Errors.OIDCSession.Token.Invalid") + return zerrors.ThrowUnauthenticated(nil, "QUERY-IJL3H", "Errors.OIDCSession.Token.Invalid") } return nil }