EA-2794: Return 401 instead of 403 for invalid JWTs (#99)

Co-authored-by: Immanuel Kattey <[email protected]>
europeana · Nov 22, 2021 · 3ef762d · 3ef762d
1 parent 66ce75f
commit 3ef762d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 10 deletions.
diff --git a/...nitions/src/main/java/eu/europeana/api/commons/definitions/config/i18n/I18nConstants.java b/...nitions/src/main/java/eu/europeana/api/commons/definitions/config/i18n/I18nConstants.java
@@ -8,6 +8,7 @@ public interface I18nConstants {
 
 	//401
 	static final String INVALID_APIKEY = "error.invalid_apikey";
+	static final String INVALID_JWTTOKEN = "error.invalid_jwttoken";
 	static final String EMPTY_APIKEY = "error.empty_apikey";
 	static final String MISSING_APIKEY = "error.missing_apikey";
 	static final String INVALID_API_NAME = "error.invalid_api_name";
@@ -23,7 +24,6 @@ public interface I18nConstants {
 	static final String INVALID_HEADER_FORMAT = "error.entity_invalid_header_format";
 	static final String BASE64_DECODING_FAIL = "error.entity_base64_encoding_fail";
 	static final String EXPIRATION_TIMESTAMP_NOT_VALID = "error.expiration_timestamp_not_valid";
-	static final String INVALID_JWT_TOKEN = "error.invalid_jwt_token";	
 	static final String JWT_TOKEN_ERROR = "error.jwt_token_error";	
 
 }
diff --git a/...rc/main/java/eu/europeana/api/commons/service/authorization/BaseAuthorizationService.java b/...rc/main/java/eu/europeana/api/commons/service/authorization/BaseAuthorizationService.java
@@ -12,6 +12,7 @@
 import org.apache.logging.log4j.Logger;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
+import org.springframework.lang.NonNull;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.jwt.crypto.sign.RsaVerifier;
@@ -37,11 +38,12 @@ public Logger getLog() {
 	return log;
     }
 
-    protected RsaVerifier getSignatureVerifier() {
-	if (signatureVerifier == null)
-	    signatureVerifier = new RsaVerifier(getSignatureKey());
-	return signatureVerifier;
-    }
+	protected RsaVerifier getSignatureVerifier() {
+		if (signatureVerifier == null) {
+			signatureVerifier = new RsaVerifier(getSignatureKey());
+		}
+		return signatureVerifier;
+	}
 
     @Override
     /**
@@ -81,7 +83,7 @@ private Authentication authorizeReadByApiKey(HttpServletRequest request) throws
 	} catch (ClientRegistrationException e) {
 	    // invalid api key
 	    throw new ApplicationAuthenticationException(I18nConstants.INVALID_APIKEY, I18nConstants.INVALID_APIKEY,
-		    new String[] { wsKey }, HttpStatus.FORBIDDEN, e);
+		    new String[] { wsKey }, HttpStatus.UNAUTHORIZED, e);
 	} catch (OAuth2Exception e) {
 	    // validation failed through API Key service issues
 	    // silently approve request
@@ -103,7 +105,7 @@ private Authentication authorizeReadByJwtToken(HttpServletRequest request)
 	    // check if null
 	    if (wsKey == null)
 		throw new ApplicationAuthenticationException(I18nConstants.MISSING_APIKEY, I18nConstants.MISSING_APIKEY,
-			null, HttpStatus.FORBIDDEN, null);
+			null, HttpStatus.UNAUTHORIZED, null);
 
 	    if (data.containsKey(OAuthUtils.USER_ID)) {
 		List<Authentication> authList = new ArrayList<Authentication>(); 
@@ -123,8 +125,8 @@ private Authentication authorizeReadByJwtToken(HttpServletRequest request)
 		}
 	    }
 	} catch (ApiKeyExtractionException | AuthorizationExtractionException e) {
-	    throw new ApplicationAuthenticationException(I18nConstants.INVALID_APIKEY, I18nConstants.INVALID_APIKEY,
-		    new String[] { e.getMessage() }, HttpStatus.UNAUTHORIZED, e);
+	    throw new ApplicationAuthenticationException(I18nConstants.INVALID_JWTTOKEN, I18nConstants.INVALID_JWTTOKEN,
+			    new String[] { e.getMessage() }, HttpStatus.UNAUTHORIZED, e);
 	}
 
 	return authentication;