feat: Improved error messages/warnings

codedust · codedust · commit 674d389b3396 · 2021-10-20T23:37:41.000+02:00
New: If no secret/publicKey is provided by the user, no signature check
is performed. Rather then silently skipping the signature check, this
commit introduces a warning in this case.

New: If the `exp` claim is not set and the token validation check is
skipped, a warning is shown.

New: After a successful signature validation a success message is shown.

Changed: The `InvalidAlgorithm` error message now shows the selected
algorithm and the algorithm specified in the JWT header.

New: If no signature validation is performed, the return code is now
`2`.

All tests have been updated accordingly.
diff --git a/src/main.rs b/src/main.rs
@@ -476,7 +476,7 @@ fn encode_token(matches: &ArgMatches) -> JWTResult<String> {
 fn decode_token(
     matches: &ArgMatches,
 ) -> (
-    JWTResult<TokenData<Payload>>,
+    Option<JWTResult<TokenData<Payload>>>,
     JWTResult<TokenData<Payload>>,
     OutputFormat,
 ) {
@@ -523,8 +523,12 @@ fn decode_token(
 
     (
         match secret {
-            Some(secret_key) => decode::<Payload>(&jwt, &secret_key.unwrap(), &secret_validator),
-            None => dangerous_insecure_decode::<Payload>(&jwt),
+            Some(secret_key) => Some(decode::<Payload>(
+                &jwt,
+                &secret_key.unwrap(),
+                &secret_validator,
+            )),
+            None => None, // unable to safely decode token => validated_token is set to None
         },
         token_data,
         if matches.is_present("json") {
@@ -554,12 +558,13 @@ fn print_encoded_token(token: JWTResult<String>) {
 }
 
 fn print_decoded_token(
-    validated_token: JWTResult<TokenData<Payload>>,
+    validated_token: Option<JWTResult<TokenData<Payload>>>,
     token_data: JWTResult<TokenData<Payload>>,
+    options_algorithm: Algorithm,
     format: OutputFormat,
 ) {
-    if let Err(err) = &validated_token {
-        match err.kind() {
+    match validated_token {
+        Some(Err(ref err)) => match err.kind() {
             ErrorKind::InvalidToken => {
                 bunt::println!("{$red+bold}The JWT provided is invalid{/$}")
             }
@@ -587,15 +592,20 @@ fn print_decoded_token(
             ErrorKind::ImmatureSignature => bunt::eprintln!(
                 "{$red+bold}The `nbf` claim is in the future which isn't allowed{/$}"
             ),
-            ErrorKind::InvalidAlgorithm => bunt::eprintln!(
-                "{$red+bold}The JWT provided has a different signing algorithm than the one you \
-                     provided{/$}",
-            ),
+            ErrorKind::InvalidAlgorithm => {
+                let jwt_algorithm = match token_data {
+                    Ok(ref token) => token.header.alg,
+                    Err(_) => panic!("Error: Invalid token data."),
+                };
+                bunt::eprintln!("{$red+bold}Error: Invalid Signature! The JWT provided has a different signing algorithm ({:?}) than the one selected for validation ({:?}){/$}",jwt_algorithm, options_algorithm)
+            }
             _ => bunt::eprintln!(
-                "{$red+bold}The JWT provided is invalid because{/$} {:?}",
+                "{$red+bold}The JWT provided is invalid because {:?}{/$}",
                 err
             ),
-        };
+        },
+        Some(Ok(_)) => bunt::eprintln!("{$green+bold}Success! JWT signature is valid!{/$}"),
+        None => bunt::eprintln!("{$red+bold}Warning! JWT signature has not been validated!{/$}"),
     }
 
     match (format, token_data) {
@@ -612,8 +622,9 @@ fn print_decoded_token(
     }
 
     exit(match validated_token {
-        Err(_) => 1,
-        Ok(_) => 0,
+        Some(Ok(_)) => 0,  // successful signature check
+        Some(Err(_)) => 1, // token validation error
+        None => 2,         // no signature check performed
     })
 }
 
@@ -631,7 +642,11 @@ fn main() {
         ("decode", Some(decode_matches)) => {
             let (validated_token, token_data, format) = decode_token(decode_matches);
 
-            print_decoded_token(validated_token, token_data, format);
+            let options_algorithm = translate_algorithm(SupportedAlgorithms::from_string(
+                decode_matches.value_of("algorithm").unwrap(),
+            ));
+
+            print_decoded_token(validated_token, token_data, options_algorithm, format);
         }
         _ => (),
     }
diff --git a/tests/jwt-cli.rs b/tests/jwt-cli.rs
@@ -252,9 +252,9 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, _, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_ok());
+        assert!(decoded_token.as_ref().unwrap().is_ok());
 
-        let TokenData { claims, header } = decoded_token.unwrap();
+        let TokenData { claims, header } = decoded_token.unwrap().unwrap();
 
         assert_eq!(header.alg, Algorithm::HS256);
         assert_eq!(header.kid, Some("1234".to_string()));
@@ -286,9 +286,9 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, _, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_ok());
+        assert!(decoded_token.as_ref().unwrap().is_ok());
 
-        let TokenData { claims, header: _ } = decoded_token.unwrap();
+        let TokenData { claims, header: _ } = decoded_token.unwrap().unwrap();
         let iat = from_value::<i64>(claims.0["iat"].clone());
 
         assert!(iat.is_ok());
@@ -308,7 +308,7 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, token_data, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_err());
+        assert!(decoded_token.as_ref().unwrap().is_err());
 
         let TokenData { claims, header: _ } = token_data.unwrap();
 
@@ -328,9 +328,9 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, _, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_ok());
+        assert!(decoded_token.as_ref().unwrap().is_ok());
 
-        let TokenData { claims, header: _ } = decoded_token.unwrap();
+        let TokenData { claims, header: _ } = decoded_token.unwrap().unwrap();
         let exp = from_value::<i64>(claims.0["exp"].clone());
 
         assert!(exp.is_ok());
@@ -357,9 +357,9 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, _, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_ok());
+        assert!(decoded_token.as_ref().unwrap().is_ok());
 
-        let TokenData { claims, header: _ } = decoded_token.unwrap();
+        let TokenData { claims, header: _ } = decoded_token.unwrap().unwrap();
 
         assert!(claims.0.get("iat").is_none());
     }
@@ -385,9 +385,9 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, _, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_ok());
+        assert!(decoded_token.as_ref().unwrap().is_ok());
 
-        let TokenData { claims, header: _ } = decoded_token.unwrap();
+        let TokenData { claims, header: _ } = decoded_token.unwrap().unwrap();
         let exp_claim = from_value::<i64>(claims.0["exp"].clone());
 
         assert!(exp_claim.is_ok());
@@ -407,7 +407,7 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, _, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_err());
+        assert!(decoded_token.as_ref().unwrap().is_err());
     }
 
     #[test]
@@ -430,7 +430,7 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, _, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_ok());
+        assert!(decoded_token.as_ref().unwrap().is_ok());
     }
 
     #[test]
@@ -453,9 +453,9 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, _, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_ok());
+        assert!(decoded_token.as_ref().unwrap().is_ok());
 
-        let TokenData { claims, header: _ } = decoded_token.unwrap();
+        let TokenData { claims, header: _ } = decoded_token.unwrap().unwrap();
         let exp_claim = from_value::<i64>(claims.0["exp"].clone());
         let iat_claim = from_value::<i64>(claims.0["iat"].clone());
 
@@ -489,9 +489,9 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, _, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_ok());
+        assert!(decoded_token.as_ref().unwrap().is_ok());
 
-        let TokenData { claims, header: _ } = decoded_token.unwrap();
+        let TokenData { claims, header: _ } = decoded_token.unwrap().unwrap();
         let nbf_claim = from_value::<i64>(claims.0["nbf"].clone());
         let iat_claim = from_value::<i64>(claims.0["iat"].clone());
 
@@ -520,7 +520,7 @@ mod tests {
         let decode_matches = matches.subcommand_matches("decode").unwrap();
         let (result, _, _) = decode_token(&decode_matches);
 
-        assert!(result.is_ok());
+        assert!(result.unwrap().is_ok());
     }
 
     #[test]
@@ -534,9 +534,10 @@ mod tests {
             ])
             .unwrap();
         let decode_matches = matches.subcommand_matches("decode").unwrap();
-        let (result, _, format) = decode_token(&decode_matches);
+        let (validated_token, token_data, format) = decode_token(&decode_matches);
 
-        assert!(result.is_ok());
+        assert!(validated_token.is_none()); // no signature validation
+        assert!(token_data.is_ok());
         assert!(format == OutputFormat::Json);
     }
 
@@ -556,7 +557,7 @@ mod tests {
         let decode_matches = matches.subcommand_matches("decode").unwrap();
         let (result, _, _) = decode_token(&decode_matches);
 
-        assert!(result.is_err());
+        assert!(result.unwrap().is_err());
     }
 
     #[test]
@@ -571,9 +572,10 @@ mod tests {
             ])
             .unwrap();
         let decode_matches = matches.subcommand_matches("decode").unwrap();
-        let (result, _, _) = decode_token(&decode_matches);
+        let (validated_token, token_data, _) = decode_token(&decode_matches);
 
-        assert!(result.is_ok());
+        assert!(validated_token.is_none()); // no signature validation
+        assert!(token_data.is_ok());
     }
 
     #[test]
@@ -586,9 +588,10 @@ mod tests {
             ])
             .unwrap();
         let decode_matches = matches.subcommand_matches("decode").unwrap();
-        let (result, _, _) = decode_token(&decode_matches);
+        let (validated_token, token_data, _) = decode_token(&decode_matches);
 
-        assert!(result.is_ok());
+        assert!(validated_token.is_none()); // no signature validation
+        assert!(token_data.is_ok());
     }
 
     #[test]
@@ -601,9 +604,10 @@ mod tests {
             ])
             .unwrap();
         let decode_matches = matches.subcommand_matches("decode").unwrap();
-        let (result, _, _) = decode_token(&decode_matches);
+        let (validated_token, token_data, _) = decode_token(&decode_matches);
 
-        assert!(result.is_ok());
+        assert!(validated_token.is_none()); // no signature validation
+        assert!(token_data.is_ok());
     }
 
     #[test]
@@ -616,9 +620,10 @@ mod tests {
             ])
             .unwrap();
         let decode_matches = matches.subcommand_matches("decode").unwrap();
-        let (result, _, _) = decode_token(&decode_matches);
+        let (validated_token, token_data, _) = decode_token(&decode_matches);
 
-        assert!(result.is_ok());
+        assert!(validated_token.is_none()); // no signature validation
+        assert!(token_data.is_ok());
     }
 
     #[test]
@@ -652,7 +657,7 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (result, _, _) = decode_token(&decode_matches);
 
-        assert!(result.is_ok());
+        assert!(result.unwrap().is_ok());
     }
 
     #[test]
@@ -755,9 +760,7 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (result, _, _) = decode_token(&decode_matches);
 
-        dbg!(&result);
-
-        assert!(result.is_ok());
+        assert!(result.unwrap().is_ok());
     }
 
     #[test]
@@ -791,7 +794,7 @@ mod tests {
         let decode_matches = decode_matcher.subcommand_matches("decode").unwrap();
         let (decoded_token, token_data, _) = decode_token(&decode_matches);
 
-        assert!(decoded_token.is_ok());
+        assert!(decoded_token.as_ref().unwrap().is_ok());
 
         let TokenData { claims, header: _ } = token_data.unwrap();
 
