Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Secured" Annotation Does Not Appear to Work with JWT #19

Open
homestar9 opened this issue Aug 23, 2023 · 2 comments
Open

"Secured" Annotation Does Not Appear to Work with JWT #19

homestar9 opened this issue Aug 23, 2023 · 2 comments

Comments

@homestar9
Copy link

What are the steps to reproduce this issue?

  1. Implement JWT configuration
  2. Authenticate and receive JWT token
  3. Attempt to GET /api/v1/echo/whoami/

What happens?

You will get an invalid or missing auth credentials response.

What were you expecting to happen?

It should execute the handler method.

Any other comments?

I would have assumed that passing along the JWT token would allow bypassing the secured annotation. However, I think for this to have the intended effect, you have to add the whoami() method to the cbsecurity firewall rules and remove the annotation.
@lmajano
Copy link
Contributor

lmajano commented Aug 24, 2023

The firewall doesn't care if it's jwt or not. It just checks the logged in user for annotations. The annotation should have worked, if not, we have an issue

@homestar9
Copy link
Author

The annotations work in the sense that it prevents access to the handler action. However, in the context of the Coldbox REST API template, the whoami() method is supposed to tell the user who they are based on the passed JWT token, right?

Maybe I am doing something wrong, but based on my tests with Postman, if I hit that endpoint with a valid JWT token, I get the invalid or missing auth credentials no matter what. If I remove the secured annotation, it works.

/**
 * A secured route that shows you your information
 *
 * @x        -route          (GET) /api/whoami
 * @security bearerAuth,ApiKeyAuth
 * @response -default ~echo/whoami/responses.json##200
 * @response -401     ~echo/whoami/responses.json##401
 */
function whoami( event, rc, prc ) secured{
    event.getResponse().setData( jwtAuth().getUser().getMemento() );
}

If the secured annotation is doing what its supposed to, perhaps we should remove the annotation and change the method to something like this:

function whoami( event, rc, prc ) {
    try {
        event.getResponse().setData( jwtAuth().getUser().getMemento() );
    } catch( TokenNotFoundException e ) {
        event.getResponse().addMessage( "You are a guest" );
    }
    
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lmajano @homestar9