Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

query/sessions: return 401 for invalid Bearer token #1379

Merged
merged 4 commits into from
Jan 30, 2025
Merged

query/sessions: return 401 for invalid Bearer token #1379

merged 4 commits into from
Jan 30, 2025

Conversation

alxndrsn
Copy link
Contributor

@alxndrsn alxndrsn commented Jan 23, 2025
edited
Loading

Currently passing a Authorization: Bearer ... header with a token that fails the isValidToken() check will return a 500 response.

To recreate:

$ curl https://dev.getodk.cloud/v1/projects/1 --header 'Authorization: Bearer hi'
{"message":"Internal Server Error"}

vs

$ curl https://dev.getodk.cloud/v1/projects/1 --header 'Authorization: Bearer aaaaaaaabbbbbbbbccccccccddddddddaaaaaaaabbbbbbbbccccccccdddddddd'
{"message":"Could not authenticate with the provided credentials.","code":401.2}

From Sentry (https://getodk.sentry.io/issues/6194482982/?environment=production&project=5724763&query=is%3Aunresolved%20issue.priority%3A%5Bhigh%2C%20medium%5D&referrer=issue-stream&statsPeriod=30d&stream_index=2), when the supplied token is invalid, authHandler can throw.

What has been done to verify that this works as intended?

Added a test which fails against master, but passes on this branch.

Why is this the best possible solution? Were any other approaches considered?

Seems simple. No other approaches considered.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Should not affect users.

Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.

No?

Before submitting this PR, please make sure you have:

  • run make test and confirmed all checks still pass OR confirm CircleCI build passes
  • verified that any code from external sources are properly credited in comments or that everything is internally sourced

@alxndrsn alxndrsn changed the title query/sessions: return promise from getByBearerToken() for invalid token query/sessions: return 401 for invalid Bearer token Jan 23, 2025
@alxndrsn alxndrsn marked this pull request as ready for review January 23, 2025 10:16
@alxndrsn alxndrsn merged commit 973462b into getodk:master Jan 30, 2025
6 checks passed
@alxndrsn alxndrsn deleted the session-get-by-bearer-token-missing-return-promise branch January 30, 2025 07:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ktuite ktuite ktuite approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alxndrsn @ktuite