search

adam-hanna / jwt-auth

This package provides json web token (jwt) middleware for goLang http servers
MIT License
231 stars 43 forks source link

validateCsrfStringAgainstCredentials() panic #8

Closed dooglegh closed 6 years ago

dooglegh commented 6 years ago

ERROR http: panic serving 127.0.0.1:49244: runtime error: invalid memory address or nil pointer dereference

echo: http: panic serving 127.0.0.1:49244: runtime error: invalid memory address or nil pointer dereference goroutine 16 [running]: net/http.(conn).serve.func1(0xc4201ae500) /usr/lib/go-1.8/src/net/http/server.go:1721 +0xd0 panic(0x897be0, 0xb59280) /usr/lib/go-1.8/src/runtime/panic.go:489 +0x2cf /adam-hanna/jwt-auth/jwt.(credentials).validateCsrfStringAgainstCredentials(0xc4201736d0, 0x1bf08eb000) /adam-hanna/jwt-auth/jwt/credentials.go:93 +0x3e /adam-hanna/jwt-auth/jwt.(credentials).validateAndUpdateCredentials(0xc4201736d0, 0xc420326000) /adam-hanna/jwt-auth/jwt/credentials.go:162 +0x43 /adam-hanna/jwt-auth/jwt.(Auth).Process(0xc4202020f0, 0xb32e60, 0xc420173630, 0xc420326000, 0x8d43e0) /adam-hanna/jwt-auth/jwt/auth.go:337 +0x249 /adam-hanna/jwt-auth/jwt.(Auth).Handler.func1(0xb32e60, 0xc420173630, 0xc420326000) /adam-hanna/jwt-auth/jwt/auth.go:275 +0x7a net/http.HandlerFunc.ServeHTTP(0xc4201b0880, 0xb32e60, 0xc420173630, 0xc420326000) /usr/lib/go-1.8/src/net/http/server.go:1942 +0x44 /vendor/github.com/labstack/echo.WrapMiddleware.func1.1(0xb3a3c0, 0xc42014f570, 0x20, 0x8c4b80) /vendor/github.com/labstack/echo/echo.go:694 +0x174 /vendor/github.com/labstack/echo.(Echo).Add.func1(0xb3a3c0, 0xc42014f570, 0xc420173630, 0xb334a0) /vendor/github.com/labstack/echo/echo.go:477 +0x90 /vendor/github.com/labstack/echo/middleware.GzipWithConfig.func1.1(0xb3a3c0, 0xc42014f570, 0x0, 0x0) /vendor/github.com/labstack/echo/middleware/compress.go:92 +0x173 /vendor/github.com/labstack/echo/middleware.CORSWithConfig.func1.1(0xb3a3c0, 0xc42014f570, 0xf, 0x91aff1) /vendor/github.com/labstack/echo/middleware/cors.go:113 +0x2e7 /vendor/github.com/labstack/echo/middleware.SecureWithConfig.func1.1(0xb3a3c0, 0xc42014f570, 0xb658e0, 0xc420057b18) /vendor/github.com/labstack/echo/middleware/secure.go:113 +0x2af /vendor/github.com/labstack/echo/middleware.LoggerWithConfig.func2.1(0xb3a3c0, 0xc42014f570, 0x0, 0x0) /vendor/github.com/labstack/echo/middleware/logger.go:111 +0x12b ... /vendor/github.com/labstack/echo.(Echo).ServeHTTP.func1(0xb3a3c0, 0xc42014f570, 0xc420198ef8, 0x914a60) /vendor/github.com/labstack/echo/echo.go:574 +0x10e /vendor/github.com/labstack/echo.(Echo).ServeHTTP(0xc420198ea0, 0xb334a0, 0xc4201550a0, 0xc420326000) /vendor/github.com/labstack/echo/echo.go:583 +0x24d net/http.serverHandler.ServeHTTP(0xc4201b60b0, 0xb334a0, 0xc4201550a0, 0xc420326000) /usr/lib/go-1.8/src/net/http/server.go:2568 +0x92 net/http.(conn).serve(0xc4201ae500, 0xb33f20, 0xc4201aa900) /usr/lib/go-1.8/src/net/http/server.go:1825 +0x612 created by net/http.(Server).Serve /usr/lib/go-1.8/src/net/http/server.go:2668 +0x2ce

REQUEST HEADER X-Auth-Token : null X-Refresh-Token : null X-Csrf-Token : null

PANIC credentials.go:92 func (c credentials) validateCsrfStringAgainstCredentials() jwtError { authTokenClaims, ok := c.AuthToken.Token.Claims.(*ClaimsType) <<< PANIC! ( c.AuthToken.Token is nil )

c.AuthToken.Token is nil c.RefreshToken.Token is nil

MY BUGFIX jwtToken.go:42

if token == nil {
    token = new(jwtGo.Token)
    token.Claims = new(ClaimsType)
    c.myLog("token is nil, set empty token (parse error=" + err.Error() + ")")
}
adam-hanna commented 6 years ago

Thanks for the great bug report! If you'd like to submit a pull request, I'd happily merge. Otherwise, I'm happy to make the change myself!

:)