Remove failed bearer tokens from logs

2024-11-24 08:52:25 +02:00 · 2020-11-26 11:47:44 -08:00 · 2020-11-26 11:47:44 -08:00 · 5f8f856260
commit 5f8f856260
parent 22f60e9b63
2 changed files with 10 additions and 8 deletions
--- a/pkg/middleware/jwt_session.go
+++ b/pkg/middleware/jwt_session.go
@ -1,6 +1,7 @@
 package middleware

 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"regexp"
@ -9,7 +10,7 @@ import (
 	middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
 	sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
-	"k8s.io/apimachinery/pkg/util/errors"
+	k8serrors "k8s.io/apimachinery/pkg/util/errors"
 )

 const jwtRegexFormat = `^ey[IJ][a-zA-Z0-9_-]*\.ey[IJ][a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+$`
@ -70,17 +71,18 @@ func (j *jwtSessionLoader) getJwtSession(req *http.Request) (*sessionsapi.Sessio
 		return nil, err
 	}

-	errs := []error{fmt.Errorf("unable to verify jwt token: %q", req.Header.Get("Authorization"))}
+	// This leading error message only occurs if all session loaders fail
+	errs := []error{errors.New("unable to verify bearer token")}
 	for _, loader := range j.sessionLoaders {
 		session, err := loader(req.Context(), token)
-		if err == nil {
-			return session, nil
-		} else {
+		if err != nil {
 			errs = append(errs, err)
+			continue
 		}
+		return session, nil
 	}

-	return nil, errors.NewAggregate(errs)
+	return nil, k8serrors.NewAggregate(errs)
 }

 // findTokenFromHeader finds a valid JWT token from the Authorization header of a given request.
--- a/pkg/middleware/jwt_session_test.go
+++ b/pkg/middleware/jwt_session_test.go
@ -225,7 +225,7 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
 			Entry("Bearer <nonVerifiedToken>", getJWTSessionTableInput{
 				authorizationHeader: fmt.Sprintf("Bearer %s", nonVerifiedToken),
 				expectedErr: k8serrors.NewAggregate([]error{
-					errors.New("unable to verify jwt token: \"Bearer eyJfoobar.eyJfoobar.12345asdf\""),
+					errors.New("unable to verify bearer token"),
 					errors.New("oidc: malformed jwt: illegal base64 data at input byte 8"),
 				}),
 				expectedSession: nil,
@ -238,7 +238,7 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
 			Entry("Basic Base64(<nonVerifiedToken>:) (No password)", getJWTSessionTableInput{
 				authorizationHeader: "Basic ZXlKZm9vYmFyLmV5SmZvb2Jhci4xMjM0NWFzZGY6",
 				expectedErr: k8serrors.NewAggregate([]error{
-					errors.New("unable to verify jwt token: \"Basic ZXlKZm9vYmFyLmV5SmZvb2Jhci4xMjM0NWFzZGY6\""),
+					errors.New("unable to verify bearer token"),
 					errors.New("oidc: malformed jwt: illegal base64 data at input byte 8"),
 				}),
 				expectedSession: nil,