Wrap the errors from functions called within ParseRequest (#1176)

* Wrap the errors from functions called within ParseRequest fixes #1175 * Update Changes
lestrrat-go · Sep 5, 2024 · 551d76f · 551d76f
1 parent 5794328
commit 551d76f
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 10 deletions.
diff --git a/Changes b/Changes
@@ -4,6 +4,14 @@ Changes
 v2 has many incompatibilities with v1. To see the full list of differences between
 v1 and v2, please read the Changes-v2.md file (https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes-v2.md)
 
+v2.1.2 UNRELEASED
+  * [jwt] `jwt.ParseRequest` now uses %w to embed errors returned from
+    `jwt.ParseHeader`, `jwt.ParseCookie`, and `jwt.ParseForm`, allowing
+    users to correctly call `errors.Is(err, jwt.ErrTokenExpired)` and the
+    like. Previously the error returned from `jwt.ParseRequest` showed
+    in human readable format what the problem was, but it was not programmatically
+    possible to determine the error type using `errors.Is` (#1175)
+
 v2.1.1 Jul 28 2024
   * Update minimum required go version to go 1.20
   * Update tests to work on 32-bit systems.

diff --git a/jwt/http.go b/jwt/http.go
@@ -224,6 +224,7 @@ func ParseRequest(req *http.Request, options ...ParseOption) (Token, error) {
 	lmhdrs := len(mhdrs)
 	lmfrms := len(mfrms)
 	lmcookies := len(mcookies)
+	var errors []interface{}
 	if lmhdrs > 0 || lmfrms > 0 || lmcookies > 0 {
 		b.WriteString(". Additionally, errors were encountered during attempts to parse")
 
@@ -236,9 +237,8 @@ func ParseRequest(req *http.Request, options ...ParseOption) (Token, error) {
 				}
 				b.WriteString("[header key: ")
 				b.WriteString(strconv.Quote(hdrkey))
-				b.WriteString(", error: ")
-				b.WriteString(strconv.Quote(err.Error()))
-				b.WriteString("]")
+				b.WriteString(", error: %w]")
+				errors = append(errors, err)
 				count++
 			}
 			b.WriteString(")")
@@ -253,9 +253,8 @@ func ParseRequest(req *http.Request, options ...ParseOption) (Token, error) {
 				}
 				b.WriteString("[cookie key: ")
 				b.WriteString(strconv.Quote(cookiekey))
-				b.WriteString(", error: ")
-				b.WriteString(strconv.Quote(err.Error()))
-				b.WriteString("]")
+				b.WriteString(", error: %w]")
+				errors = append(errors, err)
 				count++
 			}
 		}
@@ -269,12 +268,11 @@ func ParseRequest(req *http.Request, options ...ParseOption) (Token, error) {
 				}
 				b.WriteString("[form key: ")
 				b.WriteString(strconv.Quote(formkey))
-				b.WriteString(", error: ")
-				b.WriteString(strconv.Quote(err.Error()))
-				b.WriteString("]")
+				b.WriteString(", error: %w]")
+				errors = append(errors, err)
 				count++
 			}
 		}
 	}
-	return nil, fmt.Errorf(b.String())
+	return nil, fmt.Errorf(b.String(), errors...)
 }
diff --git a/jwt/jwt_test.go b/jwt/jwt_test.go
@@ -1853,3 +1853,20 @@ func TestParseJSON(t *testing.T) {
 		})
 	}
 }
+
+func TestGH1175(t *testing.T) {
+	token, err := jwt.NewBuilder().
+		Expiration(time.Now().Add(-1 * time.Hour)).
+		Build()
+	require.NoError(t, err, `jwt.NewBuilder should succeed`)
+	secret := []byte("secret")
+	signed, err := jwt.Sign(token, jwt.WithKey(jwa.HS256, secret))
+	require.NoError(t, err, `jwt.Sign should succeed`)
+
+	req := httptest.NewRequest(http.MethodGet, `http://example.com`, nil)
+	req.Header.Set("Authorization", "Bearer "+string(signed))
+
+	_, err = jwt.ParseRequest(req, jwt.WithKey(jwa.HS256, secret))
+	require.Error(t, err, `jwt.ParseRequest should fail`)
+	require.ErrorIs(t, err, jwt.ErrTokenExpired(), `jwt.ParseRequest should fail with jwt.ErrTokenExpired`)
+}