fix(jwt-auth) return 401 unauthorized instead of 403 (Kong#2433)

On invalid claims the JWT plugin returned `403 forbidden` instead of the `401 unauthorized`. fixes Kong#2409
lineCode · Apr 21, 2017 · 35467cc · 35467cc
1 parent 5616c94
commit 35467cc
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -76,6 +76,9 @@
   - hmac: Better handling of invalid base64-encoded signatures. Previously Kong
     would return an HTTP 500 error. We now properly return HTTP 403 Forbidden.
     [#2283](https://github.com/Mashape/kong/pull/2283)
+  - jwt: Returns `401 unauthorized` on invalid claims, instead of previous
+    `403 forbidden`.
+    [#2433](https://github.com/Mashape/kong/pull/2433)
 - Admin API:
   - Detect conflicts between SNI Objects in the `/snis` and `/certificates`
     endpoint.

diff --git a/kong/plugins/jwt/handler.lua b/kong/plugins/jwt/handler.lua
@@ -148,7 +148,7 @@ local function do_authentication(conf)
   -- Verify the JWT registered claims
   local ok_claims, errors = jwt:verify_registered_claims(conf.claims_to_verify)
   if not ok_claims then
-    return false, {status = 403, message = errors}
+    return false, {status = 401, message = errors}
   end
 
   -- Retrieve the consumer

diff --git a/spec/03-plugins/17-jwt/03-access_spec.lua b/spec/03-plugins/17-jwt/03-access_spec.lua
@@ -276,10 +276,10 @@ describe("Plugin: jwt (access)", function()
           ["Host"] = "jwt3.com"
         }
       })
-      local body = assert.res_status(403, res)
+      local body = assert.res_status(401, res)
       assert.equal('{"nbf":"must be a number","exp":"must be a number"}', body)
     end)
-    it("checks if the fields are valid", function()
+    it("checks if the fields are valid: `exp` claim", function()
       local payload = {
         iss = jwt_secret.key,
         exp = os.time() - 10,
@@ -293,9 +293,26 @@ describe("Plugin: jwt (access)", function()
           ["Host"] = "jwt3.com"
         }
       })
-      local body = assert.res_status(403, res)
+      local body = assert.res_status(401, res)
       assert.equal('{"exp":"token expired"}', body)
     end)
+    it("checks if the fields are valid: `nbf` claim", function()
+      local payload = {
+        iss = jwt_secret.key,
+        exp = os.time() + 10,
+        nbf = os.time() + 5
+      }
+      local jwt = jwt_encoder.encode(payload, jwt_secret.secret)
+      local res = assert(proxy_client:send {
+        method = "GET",
+        path = "/request/?jwt="..jwt,
+        headers = {
+          ["Host"] = "jwt3.com"
+        }
+      })
+      local body = assert.res_status(401, res)
+      assert.equal('{"nbf":"token not valid yet"}', body)
+    end)
   end)
 
   describe("config.anonymous", function()