My JWT validation now works on a microservice. How to I throw proper HTTP responses back?

xuanbao · · 255 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>More namely, I need to throw a HTTP 403 back if the JWT verification anything but succeeds. How would you default to that?</p> <p>The JWT verification works now. Here&#39;s my handler.</p> <pre><code>func (ma *myapp) SomeHandler(w http.ResponseWriter, r *http.Request) { w.Header().Set(&#34;Content-Type&#34;, &#34;application/json&#34;) reqToken := r.Header.Get(&#34;Authorization&#34;) splitToken := strings.Split(reqToken, &#34;Bearer &#34;) reqToken = splitToken[1] // It will crap out here, if there isn&#39;t an authorization header present err := lib.VerifyIDToken(ma.fbapp, reqToken) if err != nil { http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) return } enc := json.NewEncoder(w) enc.Encode(lib.MarketDataMap) } </code></pre> <p>However, if you just go to the URL itself, it will throw a 502 bad gateway from nginx, because my Go app throws an index out of bounds error for <code>reqToken = splitToken[1]</code>, which makes sense since nothing is there.</p> <p>How would one default to http 403 in a handler, in best practice? I can&#39;t attach <code>err</code> to the logic, before I am at <code>VerifyIDToken</code>, and there, the index out of bounds has already happened. </p> <p>Any input is appreciated! I&#39;m rather new to Go, but finding it nicer and nicer the more I learn :) Definitely gonna be my Go...-to language from now on(Coming from Java)</p> <hr/>**评论:**<br/><br/>seankhliao: <pre><p>if you need to do this for a lot of handlers you can wrap it in something like:</p> <pre><code>type precheck func(w http.ResponseWriter, r *http.Request) func (p precheck) ServeHTTP(w http.ResponseWriter, r *http.Request) { // verification here p(w, r) } </code></pre> <p>and use it like this:</p> <pre><code>http.Handle(&#39;/some/path/&#39;, precheck(someHandler)) </code></pre></pre>titpetric: <pre><p>You can check len(splitToken) to see if you have 2 items.</p> <pre><code>if len(splitToken) &lt; 2 { http.Error(...) return } reqToken = splitToken[1] ... </code></pre></pre>cbll: <pre><p>But, since this service only responds to valid requests with an authentication header + JWT, wouldn&#39;t it be &#34;prettier&#34; for it to return 403 for everything except successful requests? Or maybe I&#39;m just dreaming :) </p></pre>titpetric: <pre><p>Short answer: If you&#39;d mask all bad requests to 403, you&#39;ll have a hard time tracking down the actual error. The 503 is a valid response, which you resolve by writing better code in this case. In another case it might indicate a database failure, or something else. Either way, it&#39;s something that should be investigated and corrected, and not hidden under the carpet ;)</p></pre>Redundancy_: <pre><p>a panic due to looking at a slice index that doesn&#39;t exist isn&#39;t pretty...</p> <p>Alternatively, use empty values:</p> <pre><code>authorizationHeader := r.Header.Get(&#34;Authorization&#34;) var reqToken string const authPrefix = &#34;Bearer &#34; if strings.HasPrefix(authorizationHeader, authPrefix) { reqToken = authorizationHeader[len(authPrefix):] } err := lib.VerifyIDToken(ma.fbapp, reqToken) ... </code></pre> <p>Assuming that &#34;&#34; will fail happily in a non-side-effecty way, you could do that without breaking your control flow and basically make a missing auth token the same as a bad auth token. </p></pre>cbll: <pre><blockquote> <p>a panic due to looking at a slice index that doesn&#39;t exist isn&#39;t pretty...</p> </blockquote> <p>Indeed, hence why I am learning :)!</p> <blockquote> </blockquote> <p>Alternatively, use empty values:</p> <p>Thought of this, but seemed a bit javascripty to me. But yeah looks a bit better in the flow, I can see that. </p></pre>Redundancy_: <pre><p>I feel like the better answer is <a href="/u/titpetric" rel="nofollow">/u/titpetric</a>&#39;s with a proper test and early return, I&#39;m just giving you some options.</p></pre>cbll: <pre><p>Gotcha. Thanks for the help!</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

255 次点击  
加入收藏 微博
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传