fix check invalid access token passed

diff --git a/accesstoken/accesstoken.go b/accesstoken/accesstoken.go
index ef12e7f..6355a18 100644 (file)
--- a/accesstoken/accesstoken.go
+++ b/accesstoken/accesstoken.go
@@ -28,6 +28,8 @@ var (
        ErrBadType = errors.New("type must be client or network")
        // ErrNoMatchID is returned when Delete is called on nonexisting ID.
        ErrNoMatchID = errors.New("nonexisting access token ID")
+       // ErrInvalidToken is returned when Check is called on invalid token
+       ErrInvalidToken = errors.New("invalid token")
 
        // validIDRegexp checks that all characters are alphumeric, _ or -.
        // It also must have a length of at least 1.
@@ -109,7 +111,7 @@ func (cs *CredentialStore) Check(ctx context.Context, id string, secret string)
                return true, nil
        }
 
-       return false, nil
+       return false, ErrInvalidToken
 }
 
 // List lists all access tokens.

diff --git a/accesstoken/accesstoken_test.go b/accesstoken/accesstoken_test.go
index f789393..0fcbaec 100644 (file)
--- a/accesstoken/accesstoken_test.go
+++ b/accesstoken/accesstoken_test.go
@@ -81,8 +81,8 @@ func TestCheck(t *testing.T) {
        }
 
        valid, err = cs.Check(ctx, "x", "badsecret")
-       if err != nil {
-               t.Fatal(err)
+       if err == nil {
+               t.Fatal("invalid token check passed")
        }
        if valid {
                t.Fatal("expected bad secret to not be valid")

diff --git a/net/http/authn/authn.go b/net/http/authn/authn.go
index ac9f784..90d7521 100644 (file)
--- a/net/http/authn/authn.go
+++ b/net/http/authn/authn.go
@@ -18,7 +18,7 @@ const tokenExpiry = time.Minute * 5
 var loopbackOn = true
 
 var (
-       //ErrInvalidToken is returned when authenticate is called with invalide token.
+       //ErrInvalidToken is returned when authenticate is called with invalid token.
        ErrInvalidToken = errors.New("invalid token")
        //ErrNoToken is returned when authenticate is called with no token.
        ErrNoToken = errors.New("no token")
@@ -138,16 +138,13 @@ func (a *API) cachedTokenAuthnCheck(ctx context.Context, user, pw string) error
        a.tokenMu.Unlock()
        if !ok || time.Now().After(res.lastLookup.Add(tokenExpiry)) {
                valid, err := a.tokens.Check(ctx, user, pw)
-               if err != nil {
-                       return errors.Wrap(err)
+               if err != nil || !valid {
+                       return ErrInvalidToken
                }
                res = tokenResult{valid: valid, lastLookup: time.Now()}
                a.tokenMu.Lock()
                a.tokenMap[user+pw] = res
                a.tokenMu.Unlock()
        }
-       if !res.valid {
-               return ErrInvalidToken
-       }
        return nil
 }