From 827a001a63e39656674dff9b72a62014d3fb701b Mon Sep 17 00:00:00 2001 From: Dimitris Klouvas Date: Fri, 10 Mar 2023 12:39:43 +0100 Subject: [PATCH] fix: interstitial of failed token verification (#103) * fix: Change signed-out & interstitial request state conditions Set signed-out as default request state and return interstitial ONLY when the token verification fails with expired or invalid_iat errors. * chore: Add codeowners --- CODEOWNERS | 1 + clerk/middleware_v2.go | 24 ++++++++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..07acc04 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @clerkinc/backend-team \ No newline at end of file diff --git a/clerk/middleware_v2.go b/clerk/middleware_v2.go index 6cefe86..15e69b1 100644 --- a/clerk/middleware_v2.go +++ b/clerk/middleware_v2.go @@ -2,12 +2,15 @@ package clerk import ( "context" + "errors" "net" "net/http" "net/url" "regexp" "strconv" "strings" + + "gopkg.in/square/go-jose.v2/jwt" ) var urlSchemeRe = regexp.MustCompile(`(^\w+:|^)\/\/`) @@ -130,13 +133,26 @@ func WithSessionV2(client Client, verifyTokenOptions ...VerifyTokenOption) func( } claims, err := client.VerifyToken(cookieToken.Value, verifyTokenOptions...) - if err == nil && claims.IssuedAt != nil && clientUatTs <= int64(*claims.IssuedAt) { - ctx := context.WithValue(r.Context(), ActiveSessionClaims, claims) - next.ServeHTTP(w, r.WithContext(ctx)) + + if err == nil { + if claims.IssuedAt != nil && clientUatTs <= int64(*claims.IssuedAt) { + ctx := context.WithValue(r.Context(), ActiveSessionClaims, claims) + next.ServeHTTP(w, r.WithContext(ctx)) + return + } + + renderInterstitial(client, w) return } - renderInterstitial(client, w) + if errors.Is(err, jwt.ErrExpired) || errors.Is(err, jwt.ErrIssuedInTheFuture) { + renderInterstitial(client, w) + return + } + + // signed out + next.ServeHTTP(w, r) + return }) } }