feat: enhance JWT validation and error handling with improved response mechanisms

infezek · infezek · commit f8cfbc0c9447 · 2025-03-07T11:35:39.000-03:00
diff --git a/lib/resty/libjwt/init.lua b/lib/resty/libjwt/init.lua
@@ -3,11 +3,12 @@ local utils = require("resty.libjwt.utils")
 local cached = require("resty.libjwt.cached")
 local decode = require("resty.libjwt.decode")
 local cjson = require("cjson.safe")
+local ffi = require("ffi")
 local _M = {}
 local ngx = ngx
 
 local open = io.open
-local function _read_file(path)
+function _M.read_file(path)
     local file = open(path, "rb")
     if not file then return nil end
     local content = file:read "*a"
@@ -16,30 +17,35 @@ local function _read_file(path)
 end
 
 local TOKEN_VALID = 0
-
-
-local function _validate(params)
+function _M.validate(user_params)
+    local params, err = utils.get_params(user_params)
+    if params == nil then
+        return false, _M.response_error(err, false)
+    end
+    if err ~= "" then
+        return false, _M.response_error(err, params.return_unauthorized_default)
+    end
     local headers = ngx.req.get_headers()
-    local token, err
 
+    local token
     token, err = utils.get_token(headers, params.header_token)
     if err ~= "" then
-        return nil, err
+        return false, _M.response_error(err, params.return_unauthorized_default)
     end
     local parsed_token
     parsed_token, err = decode.jwt(token)
     if err ~= nil then
-        return nil, err
+        return nil, _M.response_error(err, params.return_unauthorized_default)
     end
     if parsed_token == nil or parsed_token.header.kid == nil then
-        return nil, "kid not found"
+        return nil, _M.response_error("kid not found", params.return_unauthorized_default)
     end
 
     local files_cached = cached:getInstance()
     for _, jwks_file in ipairs(params.jwks_files) do
         local file
         if files_cached:get(jwks_file) == nil then
-            file = _read_file(jwks_file)
+            file = _M.read_file(jwks_file)
             if file == nil then
                 goto continue
             end
@@ -48,19 +54,21 @@ local function _validate(params)
             file = files_cached:get(jwks_file)
         end
         local jwks_set = jwks_c.jwks_create(file);
+        ffi.gc(jwks_set, jwks_c.jwks_free);
         local checker = jwks_c.jwt_checker_new();
+        ffi.gc(checker, jwks_c.jwt_checker_free);
         local jwks_item = jwks_c.jwks_find_bykid(jwks_set, parsed_token.header.kid);
         if jwks_item == nil then
             goto continue
         end
         local alg = jwks_c.jwks_item_alg(jwks_item);
 
         if alg == jwks_c.JWT_ALG_NONE then
-            return nil, "No algorithm found on jwks"
+            return nil, _M.response_error("No algorithm found on jwks", params.return_unauthorized_default)
         end
 
         if alg == jwks_c.JWT_ALG_INVAL then
-            return nil, "invalid algorithm found on jwks"
+            return nil, _M.response_error("invalid algorithm found on jwks", params.return_unauthorized_default)
         end
 
         jwks_c.jwt_checker_setkey(checker, alg, jwks_item);
@@ -70,11 +78,10 @@ local function _validate(params)
         end
         ::continue::
     end
-
-    return nil, "invalid token"
+    return nil, _M.response_error("invalid token", params.return_unauthorized_default)
 end
 
-local function _response_error(error_message, return_unauthorized_default)
+function _M.response_error(error_message, return_unauthorized_default)
     if return_unauthorized_default == true then
         ngx.header.content_type = "application/json; charset=utf-8"
         local response = {
@@ -87,19 +94,4 @@ local function _response_error(error_message, return_unauthorized_default)
     return error_message
 end
 
-
-function _M.validate(user_params)
-    local params, err = utils.get_params(user_params)
-    if params == nil then
-        return nil, _response_error(err, true)
-    end
-
-    local parsed_token
-    parsed_token, err = _validate(params)
-    if err ~= "" then
-        return nil, _response_error(err, params.return_unauthorized_default)
-    end
-    return parsed_token, ""
-end
-
 return _M
diff --git a/lib/resty/libjwt/jwks_c.lua b/lib/resty/libjwt/jwks_c.lua
@@ -33,6 +33,10 @@ jwk_set_t *jwks_create(const char *jwk_json_str);
 const jwk_item_t *jwks_item_get(const jwk_set_t *jwk_set, size_t index);
 jwk_item_t *jwks_find_bykid(jwk_set_t *jwk_set, const char *kid);
 jwt_alg_t jwks_item_alg(const jwk_item_t *item);
+
+
+void jwks_free(jwk_set_t *jwk_set);
+void jwt_checker_free(jwt_checker_t *checker);
 ]]
 
 local libjwt = ffi.load("libjwt");
