diff --git a/changelog/16112.txt b/changelog/16112.txt new file mode 100644 index 000000000000..3b61c6b89e3d --- /dev/null +++ b/changelog/16112.txt @@ -0,0 +1,3 @@ +```release-note:bug +core/auth: Return a 403 instead of a 500 for a malformed SSCT +``` diff --git a/vault/request_handling.go b/vault/request_handling.go index dbbe5b21cf8a..b40bde28e47a 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -582,13 +582,16 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request if token == nil { return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied } - // We don't care if the token is an server side consistent token or not. Either way, we're going + // We don't care if the token is a server side consistent token or not. Either way, we're going // to be returning it for these paths instead of the short token stored in vault. requestBodyToken = token.(string) if IsSSCToken(token.(string)) { token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby) + + // If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client + // should receive a 403 bad token error like they do for all other invalid tokens. if err != nil { - return nil, fmt.Errorf("server side consistent token check failed: %w", err) + return logical.ErrorResponse("bad token"), logical.ErrPermissionDenied } req.Data["token"] = token }