fix: return 401 instead of 500 on malformed GitHub OAuth tokens (#951)#952
Merged
fix: return 401 instead of 500 on malformed GitHub OAuth tokens (#951)#952
Conversation
Malformed gh_access_token values sent to /oauth/login-with-github and /oauth/link-to-github were raising jwt.DecodeError out of SimpleJWT.decode unhandled, producing 500 responses (and stack-trace alerts in SolarWinds). - Normalize header-shape malformedness in SimpleJWT.decode to DecodeError so callers only need to handle one exception type. - Catch DecodeError in get_github_user_info and surface it as 401. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
I appreciate you persisting and addressing this! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
gh_access_tokenvalues sent to/oauth/login-with-githuband/oauth/link-to-githubwere raisingjwt.DecodeError(and a leakedValueError: not enough values to unpack) unhandled, producing 500s and the SolarWinds stack-trace alerts noted in "Not Enough Segments" error on login-with-github and link-to-github #951.SimpleJWT.decodenow normalizes header-shape malformedness (missing/non-intkid) toDecodeErrorso callers only handle one exception type.get_github_user_infonow catchesDecodeErrorand surfaces it as401 Unauthorized, matching the existing treatment ofExpiredSignatureError.Test plan
tests/middleware/test_simple_jwt.py) cover: no-dot, one-dot, empty, and 3-segment-but-invalid tokens.tests/integration/oauth/test_github_token_malformed.py) hit both/oauth/login-with-githuband/oauth/link-to-githubwith the same malformed inputs and assert 401.ruff checkandbasedpyright --level errorclean.Closes #951.
🤖 Generated with Claude Code