backport of commit eb6359b

hashicorp · Jun 23, 2022 · 08e2fe6 · 08e2fe6
1 parent a117c14
commit 08e2fe6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/changelog/16112.txt b/changelog/16112.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/auth: Return a 403 instead of a 500 for a malformed SSCT
+```
diff --git a/vault/request_handling.go b/vault/request_handling.go
@@ -578,13 +578,16 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request
 			if token == nil {
 				return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied
 			}
-			// We don't care if the token is an server side consistent token or not. Either way, we're going
+			// We don't care if the token is a server side consistent token or not. Either way, we're going
 			// to be returning it for these paths instead of the short token stored in vault.
 			requestBodyToken = token.(string)
 			if IsSSCToken(token.(string)) {
 				token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby)
+
+				// If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client
+				// should receive a 403 bad token error like they do for all other invalid tokens.
 				if err != nil {
-					return nil, fmt.Errorf("server side consistent token check failed: %w", err)
+					return logical.ErrorResponse("bad token"), logical.ErrPermissionDenied
 				}
 				req.Data["token"] = token
 			}