Skip to content

Return HTTP status 400 if missing JWT #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 28, 2023
Merged

Return HTTP status 400 if missing JWT #13

merged 1 commit into from
Jul 28, 2023

Conversation

@kitloong
Copy link
Contributor

@kitloong kitloong commented Jul 25, 2023

Fixes

echo-jwt/jwt.go

Lines 159 to 161 in 6944ffe

// For valid token, it sets the user in context and calls next handler.
// For invalid token, it returns "401 - Unauthorized" error.
// For missing token, it returns "400 - Bad Request" error.

https://echo.labstack.com/docs/middleware/jwt

Should return HTTP status 400 if missing JWT as documented.

@kitloong
Copy link
Contributor Author

kitloong commented Jul 26, 2023

Hi @aldas

I am sorry, just a kind reminder to review in case you have missed this, thank you!

aldas
aldas approved these changes Jul 27, 2023
View reviewed changes
Copy link
Contributor

@aldas aldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aldas aldas merged commit 2fe4a09 into labstack:main Jul 28, 2023
@kitloong kitloong deleted the feature/400 branch July 28, 2023 06:28
andreasgerstmayr added a commit to perses/perses that referenced this pull request Feb 18, 2025
@andreasgerstmayr
update expected status code
ced149c 
Ref. labstack/echo-jwt#13

Signed-off-by: Andreas Gerstmayr <[email protected]>
Nexucis pushed a commit to perses/perses that referenced this pull request Feb 24, 2025
@dependabot @andreasgerstmayr
Bump github.com/labstack/echo-jwt/v4 from 4.2.0 to 4.3.0 (#2479)
f318f8e 
* Bump github.com/labstack/echo-jwt/v4 from 4.2.0 to 4.3.0

Bumps [github.com/labstack/echo-jwt/v4](https://github.com/labstack/echo-jwt) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/labstack/echo-jwt/releases)
- [Changelog](https://github.com/labstack/echo-jwt/blob/main/CHANGELOG.md)
- [Commits](labstack/echo-jwt@v4.2.0...v4.3.0)

---
updated-dependencies:
- dependency-name: github.com/labstack/echo-jwt/v4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* update expected status code

Ref. labstack/echo-jwt#13

Signed-off-by: Andreas Gerstmayr <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Andreas Gerstmayr <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andreas Gerstmayr <[email protected]>
zoriya added a commit to zoriya/Kyoo that referenced this pull request Apr 4, 2025
@zoriya
Revert labstack/echo-jwt#13
d4fbba8
@CodingTil
Copy link

CodingTil commented Nov 20, 2025

Hi, just wondering - why was the status code changed? I would heavily expect a 401, even more so after considering https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status#client_error_responses.
I guess one could make the point that a malformed token should result in a 400.

The issue with 400 is: 400 is commonly used to signal that the response (body) itself is malformed. I would not expect a token related issue in a 400, but only in a 401 or 403.

aldas added a commit to aldas/echo-jwt that referenced this pull request Nov 20, 2025
@aldas
revert 'Return HTTP status 400 if missing JWT' (labstack#13) back to …
10f5dc5 
…returning 401
@aldas aldas mentioned this pull request Nov 20, 2025
Merged
@aldas
Copy link
Contributor

aldas commented Nov 20, 2025

to be honest I do not remember actual details but I would assume looking at the error messages - the reasoning was that for some cases ('header' for example) it would distinguish cases when you have incorrectly composed the requests (did not add jwt or added somewhere where middleware can not extract) from cases when you are sending unparseable/verifiable JWTs that failed cryptographic authentication.

aldas added a commit that referenced this pull request Nov 20, 2025
@aldas
revert 'Return HTTP status 400 if missing JWT' (#13) back to returnin…
d1ce86e 
…g 401
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aldas aldas aldas approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kitloong @CodingTil @aldas