go-kit/kit

ErrSignatureInvalid from jwt-go lib should be handled by jwt parser

Open

#947 opened on Jan 10, 2020

View on GitHub
 (1 comment) (0 reactions) (0 assignees)Go (27,422 stars) (2,446 forks)batch import
help wanted

Description

I'm playing around with jwt errors handling and I found out that there is a HS256-specific error in jwt-go library that is returned as inner error by the go-kit parser. I believe that this error should be handled by the parser and ErrTokenInvalid should be returned.

Any thoughts?

Contributor guide

Tech stack
go
Domain
apisecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Go basicsjwt go library
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Look at the go kit JWT parser in `transport/http/jwt` or similar package. The issue points out that `ErrSignatureInvalid` from the jwt go library is not handled, causing the parser to return the raw inner error instead of `ErrTokenInvalid`. The fix involves catching that specific error in the parser code and converting it. Refer to the linked line in jwt go's hmac.go for the error definition.