Warning logged if JWT is no longer valid

ToastShaman / dropwizard-auth-jwt

A Dropwizard authentication filter using JSON Web Token (JWT)

Apache License 2.0

116 stars 50 forks source link

Warning logged if JWT is no longer valid #27

Closed BenRomberg closed 7 years ago

BenRomberg commented 7 years ago

First of all, thank you for this great addition to dropwizard. We've used it since 0.8 and just migrated to the 1.0 version without much hassle.

There's one improvement we'd like to see however. Each time a JWT is expired we now get a Warning logged, even though there's nothing we can do about that. We'd prefer only to have warnings logged when there's a potential problem, not on a regular basis.

It's also pretty hard to fix, we could either override JwtAuthFilter and search for the "The JWT is no longer valid" substring in the catch block, or exclude the NumericDateValidator, implement our own validator to skip expiration time validation and implement expiration time validation elsewhere.

Best would be if there would be an option to suppress the Warning in this case. I'd also be happy to provide a PR if you agree that dropwizard-auth-jwt should provide an option for that.

ToastShaman commented 7 years ago

Hi Ben,

Thank you and I'm pleased that you find this project helpful.

Is it possible that the warning The JWT is no longer valid is logged by Jose4j rather than code in this repository? I can't find that particular log message in my code.

BenRomberg commented 7 years ago

True, NumericDateValidator where the validation is done is part of Jose4j, and the message gets turned into an InvalidJwtException in JwtConsumer, also part of Jose4j. The warning however is logged in JwtAuthFilter within dropwizard-auth-jwt.

It's probably a good idea to log the warning in most cases of an InvalidJwtException, but for the case of an outdated JWT token it's more of an annoyance, since it happens often and there's nothing we can or want to do about it.

We'll probably end up rolling our own solution then, since I agree this is not something dropwizard-auth-jwt could easily change.

BenRomberg commented 7 years ago

For anyone else wondering, since it would involve copy/pasting a lot of library code from either Jose4j or dropwizard-auth-jwt to fix it in code, we decided to write a logging filter instead:

public class JsonWebTokenLoggingFilterFactory implements FilterFactory<ILoggingEvent> {
    @Override
    public Filter<ILoggingEvent> build() {
        return new JsonWebTokenLoggingFilter();
    }

    private static class JsonWebTokenLoggingFilter extends Filter<ILoggingEvent> {
        @Override
        public FilterReply decide(ILoggingEvent loggingEvent) {
            if (loggingEvent.getLevel() == Level.WARN && loggingEvent.getMessage().contains("JWT is no longer valid - the evaluation time")) {
                return FilterReply.DENY;
            }
            return FilterReply.NEUTRAL;
        }
    }
}