From 8636d3fc00120f01b9df710e48e3284ec9d96cab Mon Sep 17 00:00:00 2001 From: Maikel Linke Date: Fri, 24 Jan 2025 09:01:04 +1100 Subject: [PATCH] Handle wrong OIDC tokens gracefully If you copy and paste only part of a token then a general DecodeError is raised. It's the parent class for all other related errors like for expired signatures. Now we just fail authentication instead of raising a server error. --- engines/dfc_provider/app/services/authorization_control.rb | 2 +- .../spec/services/authorization_control_spec.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/engines/dfc_provider/app/services/authorization_control.rb b/engines/dfc_provider/app/services/authorization_control.rb index 254c6cee67..879eab7980 100644 --- a/engines/dfc_provider/app/services/authorization_control.rb +++ b/engines/dfc_provider/app/services/authorization_control.rb @@ -20,7 +20,7 @@ class AuthorizationControl def user oidc_user || ofn_api_user || ofn_user - rescue JWT::ExpiredSignature + rescue JWT::DecodeError nil end diff --git a/engines/dfc_provider/spec/services/authorization_control_spec.rb b/engines/dfc_provider/spec/services/authorization_control_spec.rb index f5695f0cd6..af340d3105 100644 --- a/engines/dfc_provider/spec/services/authorization_control_spec.rb +++ b/engines/dfc_provider/spec/services/authorization_control_spec.rb @@ -34,6 +34,12 @@ RSpec.describe AuthorizationControl do expect(auth(oidc_token: token).user).to eq nil end + + it "ignores malformed tokens" do + token = "eyJhbGciOiJSUzI1NiIsInR5c" + + expect(auth(oidc_token: token).user).to eq nil + end end describe "with OFN API token" do