mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-11 06:53:39 +00:00
fix: return 401 instead of 403 on expired tokens (#8476)
# Which Problems Are Solved The access token verifier returned a permission denied (HTTP 403 / GRPC 7) instead of a unauthenticated (HTTP 401 / GRPC 16) error. # How the Problems Are Solved Return the correct error type. # Additional Changes None # Additional Context close #8392 (cherry picked from commit cbbd44c303c6a06a5ef3d6c8fecd6fca63ec8705)
This commit is contained in:
parent
40f6205486
commit
3289698d4c
@ -109,14 +109,14 @@ func (q *Queries) ActiveAccessTokenByToken(ctx context.Context, token string) (m
|
|||||||
|
|
||||||
split := strings.Split(token, "-")
|
split := strings.Split(token, "-")
|
||||||
if len(split) != 2 {
|
if len(split) != 2 {
|
||||||
return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-LJK2W", "Errors.OIDCSession.Token.Invalid")
|
return nil, zerrors.ThrowUnauthenticated(nil, "QUERY-LJK2W", "Errors.OIDCSession.Token.Invalid")
|
||||||
}
|
}
|
||||||
model, err = q.accessTokenByOIDCSessionAndTokenID(ctx, split[0], split[1])
|
model, err = q.accessTokenByOIDCSessionAndTokenID(ctx, split[0], split[1])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if !model.AccessTokenExpiration.After(time.Now()) {
|
if !model.AccessTokenExpiration.After(time.Now()) {
|
||||||
return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-SAF3rf", "Errors.OIDCSession.Token.Expired")
|
return nil, zerrors.ThrowUnauthenticated(nil, "QUERY-SAF3rf", "Errors.OIDCSession.Token.Expired")
|
||||||
}
|
}
|
||||||
if err = q.checkSessionNotTerminatedAfter(ctx, model.SessionID, model.UserID, model.Position, model.UserAgent.GetFingerprintID()); err != nil {
|
if err = q.checkSessionNotTerminatedAfter(ctx, model.SessionID, model.UserID, model.Position, model.UserAgent.GetFingerprintID()); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -130,10 +130,10 @@ func (q *Queries) accessTokenByOIDCSessionAndTokenID(ctx context.Context, oidcSe
|
|||||||
|
|
||||||
model = newOIDCSessionAccessTokenReadModel(oidcSessionID)
|
model = newOIDCSessionAccessTokenReadModel(oidcSessionID)
|
||||||
if err = q.eventstore.FilterToQueryReducer(ctx, model); err != nil {
|
if err = q.eventstore.FilterToQueryReducer(ctx, model); err != nil {
|
||||||
return nil, zerrors.ThrowPermissionDenied(err, "QUERY-ASfe2", "Errors.OIDCSession.Token.Invalid")
|
return nil, zerrors.ThrowUnauthenticated(err, "QUERY-ASfe2", "Errors.OIDCSession.Token.Invalid")
|
||||||
}
|
}
|
||||||
if model.AccessTokenID != tokenID {
|
if model.AccessTokenID != tokenID {
|
||||||
return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-M2u9w", "Errors.OIDCSession.Token.Invalid")
|
return nil, zerrors.ThrowUnauthenticated(nil, "QUERY-M2u9w", "Errors.OIDCSession.Token.Invalid")
|
||||||
}
|
}
|
||||||
return model, nil
|
return model, nil
|
||||||
}
|
}
|
||||||
@ -152,11 +152,11 @@ func (q *Queries) checkSessionNotTerminatedAfter(ctx context.Context, sessionID,
|
|||||||
}
|
}
|
||||||
err = q.eventstore.FilterToQueryReducer(ctx, model)
|
err = q.eventstore.FilterToQueryReducer(ctx, model)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return zerrors.ThrowPermissionDenied(err, "QUERY-SJ642", "Errors.Internal")
|
return zerrors.ThrowUnauthenticated(err, "QUERY-SJ642", "Errors.Internal")
|
||||||
}
|
}
|
||||||
|
|
||||||
if model.terminated {
|
if model.terminated {
|
||||||
return zerrors.ThrowPermissionDenied(nil, "QUERY-IJL3H", "Errors.OIDCSession.Token.Invalid")
|
return zerrors.ThrowUnauthenticated(nil, "QUERY-IJL3H", "Errors.OIDCSession.Token.Invalid")
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user