"Secured" Annotation Does Not Appear to Work with JWT
Opened this issue · 2 comments
What are the steps to reproduce this issue?
- Implement JWT configuration
- Authenticate and receive JWT token
- Attempt to GET /api/v1/echo/whoami/
What happens?
You will get an invalid or missing auth credentials response.
…
What were you expecting to happen?
It should execute the handler method.
…
Any other comments?
I would have assumed that passing along the JWT token would allow bypassing the secured annotation. However, I think for this to have the intended effect, you have to add the whoami() method to the cbsecurity firewall rules and remove the annotation.
The firewall doesn't care if it's jwt or not. It just checks the logged in user for annotations. The annotation should have worked, if not, we have an issue
The annotations work in the sense that it prevents access to the handler action. However, in the context of the Coldbox REST API template, the whoami() method is supposed to tell the user who they are based on the passed JWT token, right?
Maybe I am doing something wrong, but based on my tests with Postman, if I hit that endpoint with a valid JWT token, I get the invalid or missing auth credentials no matter what. If I remove the secured annotation, it works.
/**
* A secured route that shows you your information
*
* @x -route (GET) /api/whoami
* @security bearerAuth,ApiKeyAuth
* @response -default ~echo/whoami/responses.json##200
* @response -401 ~echo/whoami/responses.json##401
*/
function whoami( event, rc, prc ) secured{
event.getResponse().setData( jwtAuth().getUser().getMemento() );
}
If the secured annotation is doing what its supposed to, perhaps we should remove the annotation and change the method to something like this:
function whoami( event, rc, prc ) {
try {
event.getResponse().setData( jwtAuth().getUser().getMemento() );
} catch( TokenNotFoundException e ) {
event.getResponse().addMessage( "You are a guest" );
}
}