HTTP Error should be 403 (Forbidden) on missing JWT

[perpetual-hydrofoil]

In the JWT middleware (and corresponding tests), BadRequest is currently used instead of Forbidden for nearly all aspects of broken JWTs. This is arguably correct behavior, because we want to help people fix any broken JWTs, but this one should probably be Forbidden instead:

ErrJWTMissing = echo.NewHTTPError(http.StatusBadRequest, "missing or malformed jwt")

Generally, failed logins should be met with StatusForbidden. However, this minor change possibly could break existing client code that is depending on StatusBadRequest (as the tests are).

Still, it seems like a worthwhile change to distinguish those who are simply not logged in from those who actually have a bad request due to a broken or malformed JWT.

These could also be two different errors: one for a malformed (broken) JWT, and one for one that's simply missing.

[andrei-dascalu]

Well, I agree it should be 403 and it's the sound design decision, particularly since I don't think we 'want to help people fix any broken JWT'. Authentication exists to safeguard API resources, if you don't provide the required JWT or if it's malformed, then it should be a 403 - you're not allowed to access the resource. It's not the API's job to guide a potential client into accessing the resources.

[laliluna]

I stumbled over the same thing. If you store the JWT token in a HTTP only ticket, there is no way to identify a missing token, but a failed request. With the current implementation ; I need to check for 400 with message "missing or malformed jwt". I would prefer not to rely on a message but on a HTTP status code.

May be we can introduce this using

middleware.JWT([]byte(secret), http.StatusForbidden)

An upgrade would brake the code and you can deliberately chose to pic either one.

[laliluna]

Workaround

... e.HTTPErrorHandler = customHTTPErrorHandler e.Logger.Fatal(e.Start("127.0.0.1:9000")) }

func customHTTPErrorHandler(err error, c echo.Context) { if he, ok := err.(*echo.HTTPError); ok { if he.Message == "missing or malformed jwt" { c.String(http.StatusUnauthorized, "Login required") return } } c.Echo().DefaultHTTPErrorHandler(err, c) }

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[torrayne]

The JWT middleware has an error you can just reference in the if statement.

e := echo.New()
e.HTTPErrorHandler = customHTTPErrorHandler
...
func customHTTPErrorHandler(err error, c echo.Context) {
	if err == middleware.ErrJWTMissing {
		c.Error(echo.NewHTTPError(http.StatusUnauthorized, "Login required"))
		return
	}
	c.Echo().DefaultHTTPErrorHandler(err, c)
}