Merge pull request #85 from okta/fetch_check_http_status

Check http status on the request for metadata not being 2xx.

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## v1.3.1 (April 6th, 2022)
+
+### Updates:
+
+* Correctly error if metadata from issuer is not 200. [#85](https://github.com/okta/okta-jwt-verifier-golang/pull/85). Thanks, [@monde](https://github.com/monde)!
+
 ## v1.3.0 (March 17th, 2022)
 
 ### Enhancements:
@@ -18,7 +24,6 @@
 
 * Customizable resource cache. Thanks, [@tschaub](https://github.com/tschaub)!
 
-
 ## v1.1.3
 
 ### Updates
@@ -32,4 +37,3 @@
 ### Updates
 
 - Only `alg` and `kid` claims in a JWT header are considered during verification.
-

go.mod

@@ -1,10 +1,12 @@
 module github.com/okta/okta-jwt-verifier-golang
 
 require (
+	github.com/jarcoal/httpmock v1.1.0 // indirect
 	github.com/lestrrat-go/codegen v1.0.0 // indirect
 	github.com/lestrrat-go/jwx v1.2.18
 	github.com/lestrrat-go/pdebug/v3 v3.0.1 // indirect
 	github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627
+	github.com/stretchr/testify v1.7.1 // indirect
 	golang.org/x/mod v0.4.1 // indirect
 	golang.org/x/tools v0.0.0-20210114065538-d78b04bdf963 // indirect
 )

go.sum

@@ -7,6 +7,8 @@ github.com/goccy/go-json v0.3.5 h1:HqrLjEWx7hD62JRhBh+mHv+rEEzBANIu6O0kbDlaLzU=
 github.com/goccy/go-json v0.3.5/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/goccy/go-json v0.9.4 h1:L8MLKG2mvVXiQu07qB6hmfqeSYQdOnqPot2GhsIwIaI=
 github.com/goccy/go-json v0.9.4/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/jarcoal/httpmock v1.1.0 h1:F47ChZj1Y2zFsCXxNkBPwNNKnAyOATcdQibk0qEdVCE=
+github.com/jarcoal/httpmock v1.1.0/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
 github.com/lestrrat-go/backoff/v2 v2.0.7 h1:i2SeK33aOFJlUNJZzf2IpXRBvqBBnaGXfY5Xaop/GsE=
 github.com/lestrrat-go/backoff/v2 v2.0.7/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
 github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A=
@@ -40,6 +42,8 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

jwtverifier.go

@@ -65,6 +65,11 @@ func fetchMetaData(url string) (interface{}, error) {
 	}
 	defer resp.Body.Close()
 
+	ok := resp.StatusCode >= 200 && resp.StatusCode < 300
+	if !ok {
+		return nil, fmt.Errorf("request for metadata %q was not HTTP 2xx OK, it was: %d", url, resp.StatusCode)
+	}
+
 	metadata := make(map[string]interface{})
 	if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil {
 		return nil, err

jwtverifier_test.go

@@ -29,6 +29,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/jarcoal/httpmock"
+	"github.com/stretchr/testify/require"
+
 	"github.com/okta/okta-jwt-verifier-golang/adaptors/lestrratGoJwx"
 	"github.com/okta/okta-jwt-verifier-golang/discovery/oidc"
 	"github.com/okta/okta-jwt-verifier-golang/utils"
@@ -455,3 +458,22 @@ func Test_a_successful_authentication_can_have_its_tokens_parsed(t *testing.T) {
 		t.Errorf("issuer claim could not be pulled from access_token")
 	}
 }
+
+func TestWhenFetchMetaDataHas404(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	errJson := `{"errorCode":"E0000022","errorSummary":"The endpoint does not support the provided HTTP method","errorLink":"E0000022","errorId":"oaebpimEDg8TSuQwXXT-wjzwA","errorCauses":[]}`
+	responder := httpmock.NewStringResponder(404, errJson)
+	issuer := `https://example.com/.well-known/openid-configuration`
+	httpmock.RegisterResponder("GET", issuer, responder)
+
+	jvs := JwtVerifier{
+		Issuer: "https://example.com",
+	}
+	jv := jvs.New()
+	token := `eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im15b3JnIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.ORhY_syF7eW3e4-h2Lt0i2-7yWSr3GFu4XdHtsNQTquvnrVLN2VhM6gDhoaVtZutuVpDQD-Srd6haKtQTEffrUl2IM6erWVPKNlG_ljdm2hDQ4cw58hs9CJkTkPte4RAtFwsq-zLebdk_eF__rMYqwfgkgKK_13FoG0u8nEVtSoK_2gYBPrdFONC08Uwwre_iUz1MTHugWNcITT3u866UHeNHnRARAIn5L-rKMiEH6sQyhDoGqLyfL5xpn6d1xkxtEgqvoj7F-L4Cw87i4Jzmxl8Eo3xseBe0EGU0s-zMOzqWWVBrcG_pxA9IakgNPHGiRmoQk_rc3796FuwAkYZOA`
+	_, err := jv.VerifyIdToken(token)
+
+	require.ErrorContains(t, err, "request for metadata \"https://example.com/.well-known/openid-configuration\" was not HTTP 2xx OK, it was: 404")
+}