Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR attempts to address issue #4592 by wrapping JWT license validation in exception handling to provide better user feedback. The changes add a try-catch block around the ValidateKey method to catch platform-specific exceptions when RSA cryptography is not supported (e.g., in Blazor WASM scenarios).
Changes:
- Added try-catch block around JWT validation logic in ValidateKey method
- Added specific handling for PlatformNotSupportedException with informative logging
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+82
to
89
| catch (PlatformNotSupportedException) | ||
| { | ||
| _logger.LogCritical(validateResult.Exception, "Error validating the Lucky Penny software license key"); | ||
| _logger.LogInformation( | ||
| "RSA cryptography is not supported on this platform. " + | ||
| "For client redistribution scenarios such as Blazor WASM, see: " + | ||
| "https://docs.automapper.io/en/latest/License-configuration.html#client-redistribution-scenarios"); | ||
| return []; | ||
| } |
There was a problem hiding this comment.
The PR description states it fixes issue #4592 which asks for better exception messages for JWT validation errors (specifically ArgumentException and FormatException like "IDX14101: Unable to decode the payload"). However, the code changes only add a try-catch for PlatformNotSupportedException, which is a different scenario (unsupported cryptography on certain platforms like Blazor WASM). The original issue's JWT decoding errors would still not be caught or given better messages by this implementation.
| "For client redistribution scenarios such as Blazor WASM, see: " + | ||
| "https://docs.automapper.io/en/latest/License-configuration.html#client-redistribution-scenarios"); | ||
| return []; | ||
| } |
There was a problem hiding this comment.
The PR description states this fixes issue #4592, which mentions catching exceptions like ArgumentException and FormatException during JWT validation to provide better error messages. However, the current implementation only catches PlatformNotSupportedException. The ArgumentException and FormatException shown in the issue (IDX14101, IDX10400) would not be caught by this try-catch block. Consider adding a catch block for these exceptions (or a more general exception type) that logs a user-friendly message like "The provided license key is invalid or malformed. Please check that you have copied the entire license key correctly."
Suggested change
| } | |
| } | |
| catch (ArgumentException ex) | |
| { | |
| _logger.LogWarning(ex, | |
| "The provided license key is invalid or malformed. Please check that you have copied the entire license key correctly."); | |
| return []; | |
| } | |
| catch (FormatException ex) | |
| { | |
| _logger.LogWarning(ex, | |
| "The provided license key is invalid or malformed. Please check that you have copied the entire license key correctly."); | |
| return []; | |
| } |
| ValidateLifetime = false | ||
| }; | ||
|
|
||
| var validateResult = handler.ValidateTokenAsync(licenseKey, parms).Result; |
There was a problem hiding this comment.
Using .Result on an async method can cause deadlocks in certain synchronization contexts and wraps exceptions in AggregateException. Since the handler.ValidateTokenAsync call might throw exceptions synchronously (before returning a Task), those exceptions may be wrapped in AggregateException when accessing .Result. This could complicate exception handling. Consider using GetAwaiter().GetResult() instead, which unwraps the exception, or making this method async and using await.
Suggested change
| var validateResult = handler.ValidateTokenAsync(licenseKey, parms).Result; | |
| var validateResult = handler.ValidateTokenAsync(licenseKey, parms).GetAwaiter().GetResult(); |
jbogard
deleted the
4592-provide-a-better-exception-message-for-errors-validating-jwt
branch
This was referenced Mar 4, 2026
Closed
Closed
PhilipWoulfe
pushed a commit
to PhilipWoulfe/F1Competition
that referenced
this pull request
Mar 10, 2026
Updated [AutoMapper](https://github.com/LuckyPennySoftware/AutoMapper) from 14.0.0 to 16.1.0. <details> <summary>Release notes</summary> _Sourced from [AutoMapper's releases](https://github.com/LuckyPennySoftware/AutoMapper/releases)._ ## 16.1.0 ## What's Changed * Add Debug and Release build configurations to slnx by @Copilot in LuckyPennySoftware/AutoMapper#4590 * Migrating to slnx by @jbogard in LuckyPennySoftware/AutoMapper#4589 * Allow disabling of polymorphic LINQ mapping by @jbogard in LuckyPennySoftware/AutoMapper#4596 * Fix duplicate BOM in ServiceCollectionExtensions.cs by @Copilot in LuckyPennySoftware/AutoMapper#4600 * Fix review feedback: double semicolon, DI condition integration test, docs example by @Copilot in LuckyPennySoftware/AutoMapper#4601 * Adding DI-enabled conditions and pre-conditions; updated docs accordi… by @jbogard in LuckyPennySoftware/AutoMapper#4599 * Adding support for DI-enabled destination factories. by @jbogard in LuckyPennySoftware/AutoMapper#4603 * Correctly converting nullables for MapAtRuntime; fixes #4597 by @jbogard in LuckyPennySoftware/AutoMapper#4604 * Correctly handling consecutive uppercase characters; fixes #4593 by @jbogard in LuckyPennySoftware/AutoMapper#4605 * Wrapping the exception to provide better feedback to the user; fixes … by @jbogard in LuckyPennySoftware/AutoMapper#4606 * Fixing bug around order of open generic registration by @jbogard in LuckyPennySoftware/AutoMapper#4607 * Adding perpetual licensing by @jbogard in LuckyPennySoftware/AutoMapper#4608 ## New Contributors * @Copilot made their first contribution in LuckyPennySoftware/AutoMapper#4590 **Full Changelog**: LuckyPennySoftware/AutoMapper@v16.0.0...v16.1.0 ## 16.0.0 ## What's Changed * Fix release pipelines by @jbogard in LuckyPennySoftware/AutoMapper#4583 * Adding support for .NET 10 by @jbogard in LuckyPennySoftware/AutoMapper#4586 **Full Changelog**: LuckyPennySoftware/AutoMapper@v15.1.0...v16.0.0 ## 16.0.0-beta-1 ## What's Changed * Fix release pipelines by @jbogard in LuckyPennySoftware/AutoMapper#4583 * Adding support for .NET 10 by @jbogard in LuckyPennySoftware/AutoMapper#4586 **Full Changelog**: LuckyPennySoftware/AutoMapper@v15.1.0...v16.0.0-beta-1 This release is a beta release that introduces .NET 10 support and package signing. Signed packages means going forward packages can be validated against trusted authorities that the package has been published by Lucky Penny Software and not tampered with. ## 15.1.0 ## What's Changed * remove Microsoft.SourceLink.GitHub by @SimonCropp in LuckyPennySoftware/AutoMapper#4555 * Direct .NET 4.x support by @jbogard in LuckyPennySoftware/AutoMapper#4569 * Bumping the JsonWebTokens because of GHSA-8g4q-xg66-9fp4; fixes #4575 by @jbogard in LuckyPennySoftware/AutoMapper#4576 * Provide better exceptions for errors when building the mapping plan by @jbogard in LuckyPennySoftware/AutoMapper#4577 * Adding docs for license configuration by @jbogard in LuckyPennySoftware/AutoMapper#4581 * Updating refs to fix missing method issue by @jbogard in LuckyPennySoftware/AutoMapper#4582 ## New Contributors * @SimonCropp made their first contribution in LuckyPennySoftware/AutoMapper#4555 **Full Changelog**: LuckyPennySoftware/AutoMapper@v15.0.1...v15.1.0 ## 15.0.1 ## What's Changed * Removing public signing; fixes #4545 by @jbogard in LuckyPennySoftware/AutoMapper#4552 * Adding back missing overloads and reverting registering behavior by @jbogard in LuckyPennySoftware/AutoMapper#4554 **Full Changelog**: LuckyPennySoftware/AutoMapper@v15.0.0...v15.0.1 This release supersedes the 15.0.0 release, reverting behavior and overloads so that the `AddAutoMapper` overloads separate the "scanning for maps" from the "scanning for dependencies". Unfortunately it's not really possible to combine these two together. This also fixes a critical bug in #4545 that does not work with .NET 4.x applications (as intended). Because of this, the 15.0.0 will be delisted because of the breaking changes there. ## 15.0.0 **Full Changelog**: LuckyPennySoftware/AutoMapper@v14.0.0...v15.0.0 * Added support for .NET Standard 2.0 * Requiring license key * Moving from MIT license to dual commercial/OSS license To set your license key: ```csharp services.AddAutoMapper(cfg => { cfg.LicenseKey = "<License key here>"; }); ``` This also introduced a breaking change with `MapperConfiguration` requiring an `ILoggerFactory` for logging purposes: ```csharp public MapperConfiguration(MapperConfigurationExpression configurationExpression, ILoggerFactory loggerFactory) ``` Registering AutoMapper with `services.AddAutoMapper` will automatically supply this parameter. Otherwise you'll need to supply the logger factory. You can obtain your license key at [AutoMapper.io](https://automapper.io) Commits viewable in [compare view](LuckyPennySoftware/AutoMapper@v14.0.0...v16.1.0). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Mar 14, 2026
Closed
Closed
mlapaglia
pushed a commit
to mlapaglia/OpenAlprWebhookProcessor
that referenced
this pull request
Mar 23, 2026
Updated [AutoMapper](https://github.com/LuckyPennySoftware/AutoMapper) from 16.0.0 to 16.1.1. <details> <summary>Release notes</summary> _Sourced from [AutoMapper's releases](https://github.com/LuckyPennySoftware/AutoMapper/releases)._ ## 16.1.1 ## What's Changed * Better async handling of license validation; fixes #4612 by @jbogard in LuckyPennySoftware/AutoMapper#4613 * More artifacts for builds (test results and SBOM) by @jbogard in LuckyPennySoftware/AutoMapper#4615 * Update Microsoft.Sbom.DotNetTool to 4.1.5 by @jbogard in LuckyPennySoftware/AutoMapper#4616 ## Security Fixed an issue where certain cyclic or self-referential object graphs could trigger uncontrolled recursion during mapping, potentially resulting in stack exhaustion and denial of service. Applications that process untrusted or attacker-controlled object graphs through affected mapping paths may be impacted. Users should upgrade to this release. Security advisory: GHSA-rvv3-g6hj-g44x Thanks to @bluefossa for responsibly disclosing this issue. **Full Changelog**: LuckyPennySoftware/AutoMapper@v16.1.0...v16.1.1 ## 16.1.0 ## What's Changed * Add Debug and Release build configurations to slnx by @Copilot in LuckyPennySoftware/AutoMapper#4590 * Migrating to slnx by @jbogard in LuckyPennySoftware/AutoMapper#4589 * Allow disabling of polymorphic LINQ mapping by @jbogard in LuckyPennySoftware/AutoMapper#4596 * Fix duplicate BOM in ServiceCollectionExtensions.cs by @Copilot in LuckyPennySoftware/AutoMapper#4600 * Fix review feedback: double semicolon, DI condition integration test, docs example by @Copilot in LuckyPennySoftware/AutoMapper#4601 * Adding DI-enabled conditions and pre-conditions; updated docs accordi… by @jbogard in LuckyPennySoftware/AutoMapper#4599 * Adding support for DI-enabled destination factories. by @jbogard in LuckyPennySoftware/AutoMapper#4603 * Correctly converting nullables for MapAtRuntime; fixes #4597 by @jbogard in LuckyPennySoftware/AutoMapper#4604 * Correctly handling consecutive uppercase characters; fixes #4593 by @jbogard in LuckyPennySoftware/AutoMapper#4605 * Wrapping the exception to provide better feedback to the user; fixes … by @jbogard in LuckyPennySoftware/AutoMapper#4606 * Fixing bug around order of open generic registration by @jbogard in LuckyPennySoftware/AutoMapper#4607 * Adding perpetual licensing by @jbogard in LuckyPennySoftware/AutoMapper#4608 ## New Contributors * @Copilot made their first contribution in LuckyPennySoftware/AutoMapper#4590 **Full Changelog**: LuckyPennySoftware/AutoMapper@v16.0.0...v16.1.0 Commits viewable in [compare view](LuckyPennySoftware/AutoMapper@v16.0.0...v16.1.1). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/mlapaglia/OpenAlprWebhookProcessor/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Mar 23, 2026
Closed
Open
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…#4592