From 2ee2b6ed7c9a8b0d13e9dd943cf8fe255e3aec80 Mon Sep 17 00:00:00 2001 From: Josh Black Date: Thu, 23 Jun 2022 13:01:20 -0700 Subject: [PATCH] Return a 403 for a bad SSCT instead of 500 (#16112) --- changelog/16112.txt | 3 +++ vault/request_handling.go | 7 +++++-- 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 changelog/16112.txt diff --git a/changelog/16112.txt b/changelog/16112.txt new file mode 100644 index 000000000..3b61c6b89 --- /dev/null +++ b/changelog/16112.txt @@ -0,0 +1,3 @@ +```release-note:bug +core/auth: Return a 403 instead of a 500 for a malformed SSCT +``` diff --git a/vault/request_handling.go b/vault/request_handling.go index dbbe5b21c..b40bde28e 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -582,13 +582,16 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request if token == nil { return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied } - // We don't care if the token is an server side consistent token or not. Either way, we're going + // We don't care if the token is a server side consistent token or not. Either way, we're going // to be returning it for these paths instead of the short token stored in vault. requestBodyToken = token.(string) if IsSSCToken(token.(string)) { token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby) + + // If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client + // should receive a 403 bad token error like they do for all other invalid tokens. if err != nil { - return nil, fmt.Errorf("server side consistent token check failed: %w", err) + return logical.ErrorResponse("bad token"), logical.ErrPermissionDenied } req.Data["token"] = token }