# HG changeset patch # User Kim Alvefur # Date 1726945845 -7200 # Node ID a0d77b427d505ac2f54b36c909b59e91f69c13e0 # Parent bdfb0ed563992e71299a95e71680772c36ac4977 mod_rest: Wrap mod_tokenauth errors In some cases of expired or invalid tokens the error from mod_tokenauth.get_token_session() was returned bare with status 200 instead of via the error formatting handler. diff -r bdfb0ed56399 -r a0d77b427d50 mod_rest/mod_rest.lua --- a/mod_rest/mod_rest.lua Fri Sep 20 18:47:59 2024 +0200 +++ b/mod_rest/mod_rest.lua Sat Sep 21 21:10:45 2024 +0200 @@ -51,6 +51,12 @@ size = { code = 413; type = "modify"; condition = "resource-constraint", text = "Payload too large" }; }); +local token_session_errors = errors.init("mod_tokenauth", { + ["internal-error"] = { code = 500; type = "wait"; condition = "internal-server-error" }; + ["invalid-token-format"] = { code = 403; type = "auth"; condition = "not-authorized"; text = "Credentials malformed" }; + ["not-authorized"] = { code = 403; type = "auth"; condition = "not-authorized"; text = "Credentials not accepted" }; +}); + local function check_credentials(request) -- > session | boolean, error local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); auth_type = auth_type and auth_type:lower(); @@ -77,7 +83,11 @@ return { username = username; host = module.host }; elseif auth_type == "bearer" then if tokens.get_token_session then - return tokens.get_token_session(auth_data); + local token_session, err = tokens.get_token_session(auth_data); + if not token_session then + return false, token_session_errors.new(err or "not-authorized", { request = request }); + end + return token_session; else -- COMPAT w/0.12 local token_info = tokens.get_token_info(auth_data); if not token_info or not token_info.session then