fix: return HTTP 400 if key unmarshal fails (#3594)

* fix: return HTTP 400 if key unmarshal fails * fix: apply reviewer's suggestion, prepare for bump * fix: follow up reviewer suggestion from ory/x * chore: bump ory/x
ory · Oct 27, 2023 · fdf4956 · fdf4956
1 parent 3e3c789
commit fdf4956
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 3 deletions.
diff --git a/go.mod b/go.mod
@@ -75,7 +75,7 @@ require (
 	github.com/ory/jsonschema/v3 v3.0.8
 	github.com/ory/mail/v3 v3.0.0
 	github.com/ory/nosurf v1.2.7
-	github.com/ory/x v0.0.595
+	github.com/ory/x v0.0.597
 	github.com/peterhellberg/link v1.2.0
 	github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2
 	github.com/pkg/errors v0.9.1

diff --git a/go.sum b/go.sum
@@ -838,8 +838,8 @@ github.com/ory/nosurf v1.2.7 h1:YrHrbSensQyU6r6HT/V5+HPdVEgrOTMJiLoJABSBOp4=
 github.com/ory/nosurf v1.2.7/go.mod h1:d4L3ZBa7Amv55bqxCBtCs63wSlyaiCkWVl4vKf3OUxA=
 github.com/ory/sessions v1.2.2-0.20220110165800-b09c17334dc2 h1:zm6sDvHy/U9XrGpixwHiuAwpp0Ock6khSVHkrv6lQQU=
 github.com/ory/sessions v1.2.2-0.20220110165800-b09c17334dc2/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
-github.com/ory/x v0.0.595 h1:oh2/wLyyQ6hMaFblj9u0EGzrR5tEOmnp+2as+XkER9g=
-github.com/ory/x v0.0.595/go.mod h1:ksLBEd6iW6czGpE6eNA0gCIxO1FFeqIxCZgsgwNrzMM=
+github.com/ory/x v0.0.597 h1:msBfbEE5Ps8MXR3VxxIVUvei+f1o7cE/XKoIytuTqVQ=
+github.com/ory/x v0.0.597/go.mod h1:ksLBEd6iW6czGpE6eNA0gCIxO1FFeqIxCZgsgwNrzMM=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=

diff --git a/session/stub/jwk.es512.broken.json b/session/stub/jwk.es512.broken.json
@@ -0,0 +1,14 @@
+{
+  "keys": [
+    {
+      "use": "sig",
+      "kty": "EC",
+      "kid": "bc7f7afc-6742-427c-bb9e-164fe0f8b6a7",
+      "crv": "P-521",
+      "alg": "ES512",
+      "x": "ASj36HQOpsWiaGyzK1F0GkxXRt37R01M-OCWFk8rFqH8UnFBk0qnCmVYWv3pwVPPsN0CfFiaXTrV1gUSapkkDgWY",
+      "y": "ALf5bqXExUq6FzQNQg01hDhR2lOKzkrC02Bc6Alld8Zji3-echbimNZltoOi4MhXbSJeWHpU8wzb3v9XAAW4eovn",
+      "d": "ALP0Sf7cmcELc9CQ2bWd6Qs-YxMu0N9EYZhDmR6qbYdGnvv-lcGy_ySoEJD0vPMKagA8PHDvFhC7ORwP-sBIJ4O_"
+    }
+  ]
+
diff --git a/session/tokenizer_test.go b/session/tokenizer_test.go
@@ -10,6 +10,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/herodot"
+
 	"github.com/gofrs/uuid"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/lestrrat-go/jwx/jwk"
@@ -115,4 +117,11 @@ func TestTokenizer(t *testing.T) {
 
 		snapshotx.SnapshotT(t, token.Claims, snapshotx.ExceptPaths("jti"))
 	})
+
+	t.Run("case=rs512-with-broken-keyfile", func(t *testing.T) {
+		tid := "rs512-template"
+		setTokenizeConfig(conf, tid, "jwk.es512.broken.json", "file://stub/rs512-template.jsonnet")
+		err := tkn.TokenizeSession(ctx, tid, s)
+		require.ErrorIs(t, err, herodot.ErrBadRequest)
+	})
 }