When a fake token (token = "FAKE") is passed to jwt.Parser, the err object is set to nil while the Errors = 1 and the text = token contains an invalid number of segments.
This results in an invalid state for err.Errors() and panics the code.
token, err := jwt.Parse(rawToken, func(token *jwt.Token) (interface{}, error) {
tokenParsed = true
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
holdSoteErr = sError.GetSError(605000, nil, sError.EmptyMap)
}
if holdSoteErr.ErrCode == nil {
var (
kid string
ok bool
keys []jwk.Key
)
if kid, ok = token.Header["kid"].(string); !ok {
holdSoteErr = sError.GetSError(605010, nil, sError.EmptyMap)
}
if holdSoteErr.ErrCode == nil {
if keys, holdSoteErr = matchKid(tEnvironment, kid); holdSoteErr.ErrCode == nil {
var raw interface{}
return raw, keys[0].Raw(&raw)
}
}
}
return nil, nil
})
Followed by:
if err != nil {
...
}
The err is nil but the token is invalid, so any process after this point fails.
If you use err.Errors() to capture the text from the err, it will capture the error text. This will result in all valid token failing because the err has a valid state of nil with no text. Again resulting in a panic.
Expected:
When the error is created the err value should be other than nil.
When a fake token (token = "FAKE") is passed to jwt.Parser, the err object is set to nil while the Errors = 1 and the text = token contains an invalid number of segments.
This results in an invalid state for err.Errors() and panics the code.
Followed by:
The err is nil but the token is invalid, so any process after this point fails.
If you use err.Errors() to capture the text from the err, it will capture the error text. This will result in all valid token failing because the err has a valid state of nil with no text. Again resulting in a panic.
Expected:
When the error is created the err value should be other than nil.