feat: update error messages

2023-04-04 17:22:57 -06:00 · 2023-04-04 17:22:57 -06:00 · 1dece66bee
parent 0c2f482c9e
commit 1dece66bee
2 changed files with 12 additions and 18 deletions
--- a/chiauth/chiauth.go
+++ b/chiauth/chiauth.go
@ -51,34 +51,28 @@ func NewTokenVerifier(opts VerificationParams) func(http.Handler) http.Handler {
 					return
 				}

-				http.Error(
-					w,
-					"Bad Format: missing Authorization header and 'access_token' query",
-					http.StatusBadRequest,
-				)
+				errmsg := "bad format: missing 'Authorization' header and 'access_token' query"
+				http.Error(w, errmsg, http.StatusBadRequest)
 				return
 			}

 			parts := strings.Split(token, " ")
 			if len(parts) != 2 {
-				http.Error(
-					w,
-					"Bad Format: expected Authorization header to be in the format of 'Bearer <Token>'",
-					http.StatusBadRequest,
-				)
+				errmsg := "bad format: expected 'Authorization' header to be in the format of 'Bearer <Token>'"
+				http.Error(w, errmsg, http.StatusBadRequest)
 				return
 			}
 			token = parts[1]

 			inspected, err := libauth.VerifyJWT(token, opts.Issuers, r)
 			if nil != err {
-				w.WriteHeader(http.StatusBadRequest)
-				errmsg := "Invalid Token: " + err.Error() + "\n"
-				w.Write([]byte(errmsg))
+				errmsg := "invalid token: " + err.Error()
+				http.Error(w, errmsg, http.StatusBadRequest)
 				return
 			}
 			if !inspected.Trusted {
-				http.Error(w, "Bad Token Signature", http.StatusBadRequest)
+				errmsg := "invalid token: bad signature"
+				http.Error(w, errmsg, http.StatusBadRequest)
 				return
 			}

--- a/libauth.go
+++ b/libauth.go
@ -68,7 +68,7 @@ func ParseIssuerListString(issuerList string) []string {
 func VerifyJWT(jwt string, issuers IssuerList, r *http.Request) (*JWS, error) {
 	jws := keypairs.JWTToJWS(jwt)
 	if nil == jws {
-		return nil, fmt.Errorf("bad request: malformed Authorization header")
+		return nil, fmt.Errorf("bad request: bearer token could not be parsed from 'Authorization' header")
 	}

 	myJws := &JWS{
@ -97,14 +97,14 @@ func VerifyJWS(jws *JWS, issuers IssuerList, r *http.Request) (*JWS, error) {
 			return nil, fmt.Errorf("bad request: missing 'kid' identifier")
 		} else if !issOK || len(iss) == 0 {
 			//errs = append(errs, "payload.iss must exist to complement header.kid")
-			return nil, fmt.Errorf("bad request: payload.iss must exist to complement header.kid")
+			return nil, fmt.Errorf("bad request: 'payload.iss' must exist to complement 'header.kid'")
 		} else {
 			// TODO beware domain fronting, we should set domain statically
 			// See https://pkg.go.dev/git.rootprojects.org/root/keypairs@v0.6.2/keyfetch
 			// (Caddy does protect against Domain-Fronting by default:
 			//     https://github.com/caddyserver/caddy/issues/2500)
 			if !issuers.IsTrustedIssuer(iss, r) {
-				return nil, fmt.Errorf("bad request: 'iss' is not a trusted issuer")
+				return nil, fmt.Errorf("unauthorized: 'iss' (%s) is not a trusted issuer", iss)
 			}
 		}
 		var err error
@ -123,7 +123,7 @@ func VerifyJWS(jws *JWS, issuers IssuerList, r *http.Request) (*JWS, error) {
 			jws.Errors = append(jws.Errors, err)
 			strs = append(strs, err.Error())
 		}
-		return jws, fmt.Errorf("invalid jwt:\n%s", strings.Join(strs, "\n\t"))
+		return jws, fmt.Errorf("invalid jwt:\n\t%s", strings.Join(strs, "\n\t"))
 	}

 	jws.Trusted = true