diff --git a/chiauth/chiauth.go b/chiauth/chiauth.go index d7480a7..99473df 100644 --- a/chiauth/chiauth.go +++ b/chiauth/chiauth.go @@ -51,34 +51,28 @@ func NewTokenVerifier(opts VerificationParams) func(http.Handler) http.Handler { return } - http.Error( - w, - "Bad Format: missing Authorization header and 'access_token' query", - http.StatusBadRequest, - ) + errmsg := "bad format: missing 'Authorization' header and 'access_token' query" + http.Error(w, errmsg, http.StatusBadRequest) return } parts := strings.Split(token, " ") if len(parts) != 2 { - http.Error( - w, - "Bad Format: expected Authorization header to be in the format of 'Bearer '", - http.StatusBadRequest, - ) + errmsg := "bad format: expected 'Authorization' header to be in the format of 'Bearer '" + http.Error(w, errmsg, http.StatusBadRequest) return } token = parts[1] inspected, err := libauth.VerifyJWT(token, opts.Issuers, r) if nil != err { - w.WriteHeader(http.StatusBadRequest) - errmsg := "Invalid Token: " + err.Error() + "\n" - w.Write([]byte(errmsg)) + errmsg := "invalid token: " + err.Error() + http.Error(w, errmsg, http.StatusBadRequest) return } if !inspected.Trusted { - http.Error(w, "Bad Token Signature", http.StatusBadRequest) + errmsg := "invalid token: bad signature" + http.Error(w, errmsg, http.StatusBadRequest) return } diff --git a/libauth.go b/libauth.go index b09bbb2..c294179 100644 --- a/libauth.go +++ b/libauth.go @@ -68,7 +68,7 @@ func ParseIssuerListString(issuerList string) []string { func VerifyJWT(jwt string, issuers IssuerList, r *http.Request) (*JWS, error) { jws := keypairs.JWTToJWS(jwt) if nil == jws { - return nil, fmt.Errorf("bad request: malformed Authorization header") + return nil, fmt.Errorf("bad request: bearer token could not be parsed from 'Authorization' header") } myJws := &JWS{ @@ -97,14 +97,14 @@ func VerifyJWS(jws *JWS, issuers IssuerList, r *http.Request) (*JWS, error) { return nil, fmt.Errorf("bad request: missing 'kid' identifier") } else if !issOK || len(iss) == 0 { //errs = append(errs, "payload.iss must exist to complement header.kid") - return nil, fmt.Errorf("bad request: payload.iss must exist to complement header.kid") + return nil, fmt.Errorf("bad request: 'payload.iss' must exist to complement 'header.kid'") } else { // TODO beware domain fronting, we should set domain statically // See https://pkg.go.dev/git.rootprojects.org/root/keypairs@v0.6.2/keyfetch // (Caddy does protect against Domain-Fronting by default: // https://github.com/caddyserver/caddy/issues/2500) if !issuers.IsTrustedIssuer(iss, r) { - return nil, fmt.Errorf("bad request: 'iss' is not a trusted issuer") + return nil, fmt.Errorf("unauthorized: 'iss' (%s) is not a trusted issuer", iss) } } var err error @@ -123,7 +123,7 @@ func VerifyJWS(jws *JWS, issuers IssuerList, r *http.Request) (*JWS, error) { jws.Errors = append(jws.Errors, err) strs = append(strs, err.Error()) } - return jws, fmt.Errorf("invalid jwt:\n%s", strings.Join(strs, "\n\t")) + return jws, fmt.Errorf("invalid jwt:\n\t%s", strings.Join(strs, "\n\t")) } jws.Trusted = true