fix: treat improper token properly (#237)

* fix: resolve Base.decode64 {:ok, :error} bleedtrough * docs: update changelog * docs: update changelog * fix: copy-pasted code is now corrected * refactor: simplify tests to deal with root cause * refactor: rename error return to be the same as 'Joken.expand's * refactor: rename correctly to token_malformed
joken-elixir · Jul 11, 2019 · 7a3adec · 7a3adec
1 parent bccf3c6
commit 7a3adec
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@
 ### Changed
 ### Fixed
 
+- (@polvalente) Fix issue where Base.decode64 made peek_claims and peek_header return out of spec (#237)
+
 ## [2.1.0] - 2019-05-27
 
 ### Added

diff --git a/lib/joken.ex b/lib/joken.ex
@@ -129,10 +129,12 @@ defmodule Joken do
   @spec peek_header(bearer_token) :: {:ok, claims} | {:error, error_reason}
   def peek_header(token) when is_binary(token) do
     with {:ok, %{"protected" => protected}} <- expand(token),
-         {:ok, decoded_str} <- Base.url_decode64(protected, padding: false),
+         {:decode64, {:ok, decoded_str}} <-
+           {:decode64, Base.url_decode64(protected, padding: false)},
          header <- JOSE.json_module().decode(decoded_str) do
       {:ok, header}
     else
+      {:decode64, _error} -> {:error, :token_malformed}
       error -> error
     end
   end
@@ -148,10 +150,12 @@ defmodule Joken do
   @spec peek_claims(bearer_token) :: {:ok, claims} | {:error, error_reason}
   def peek_claims(token) when is_binary(token) do
     with {:ok, %{"payload" => payload}} <- expand(token),
-         {:ok, decoded_str} <- Base.url_decode64(payload, padding: false),
+         {:decode64, {:ok, decoded_str}} <-
+           {:decode64, Base.url_decode64(payload, padding: false)},
          claims <- JOSE.json_module().decode(decoded_str) do
       {:ok, claims}
     else
+      {:decode64, _error} -> {:error, :token_malformed}
       error -> error
     end
   end

diff --git a/test/joken_test.exs b/test/joken_test.exs
@@ -161,4 +161,10 @@ defmodule JokenTest do
     assert token = Joken.generate_and_sign!(%{}, %{"some" => custom_claim}, signer)
     assert Joken.peek_claims(token) == {:ok, %{"some" => custom_claim}}
   end
+
+  test "peek_header and peek_claims give proper error upon improper token, instead of returning out of spec :error" do
+    # This test ensures that peek_header and peek_claims use Base.url_decode64 properly
+    assert {:error, :token_malformed} = Joken.peek_claims(".a.")
+    assert {:error, :token_malformed} = Joken.peek_header("a..")
+  end
 end