[BUG] expired JWT token returns 5xx instead of 401

[TomerHeber]

Is this a possible security vulnerability?

• [X] This is NOT a possible security vulnerability

Describe the bug

When sending an http request with an expired token, 5xx is returned instead of 401.

To Reproduce

1. Enable JWTBroker.
2. Generate a token with credentials.
3. Wait 60 minutes.
4. Send a request with the expired token. Returns 5xx instead of 401.

oauth2:
  # type: test
  type: default
  tokenBroker:
    type: symmetric-key
    secret: polaris

authenticator:
  # class: org.apache.polaris.service.auth.TestInlineBearerTokenPolarisAuthenticator
  class: org.apache.polaris.service.auth.DefaultPolarisAuthenticator
  tokenBroker:
    type: symmetric-key
    secret: polaris

Actual Behavior

5xx http response.

Expected Behavior

401 http reposne.

Additional context

The issue is with this code snippet: https://github.com/apache/polaris/blob/main/polaris-service/src/main/java/org/apache/polaris/service/auth/JWTBroker.java#L59

 JWTVerifier verifier = JWT.require(getAlgorithm()).build();
  DecodedJWT decodedJWT = verifier.verify(token);
  Boolean isActive = decodedJWT.getClaim(CLAIM_KEY_ACTIVE).asBoolean();
  if (isActive == null || !isActive) {
      throw new NotAuthorizedException("Token is not active");
    }
    if (decodedJWT.getExpiresAtAsInstant().isBefore(Instant.now())) {
      throw new NotAuthorizedException("Token has expired");
    }

verifier.verify throws JWTVerificationException if the token verification fails. https://github.com/auth0/java-jwt/blob/fb6d00ad9773c6e7624c518feb2d06ed191287fa/lib/src/main/java/com/auth0/jwt/JWTVerifier.java#L346

This is an uncaught exception. The exception NotAuthorizedException should have been returned instead.

System information

N/A

[TomerHeber]

Consider using the decode function instead: https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/JWT.html

[eric-maynard]

Should be fixed by #530, but please re-open if that's not the case