Skip to content

Comments

JWT Handler Add missing TokenRejectionException#58

Merged
lmajano merged 1 commit intocoldbox-modules:developmentfrom
lanechase34:jwthandler-exceptionfix
Jan 14, 2026
Merged

JWT Handler Add missing TokenRejectionException#58
lmajano merged 1 commit intocoldbox-modules:developmentfrom
lanechase34:jwthandler-exceptionfix

Conversation

@lanechase34
Copy link
Contributor

@lanechase34 lanechase34 commented Dec 20, 2025
edited
Loading

Description

The JWT refresh token handler was not catching the TokenRejectionException thrown in jwtService.parseToken()

Updated the setErrorMessage calls to match the latest spec
Response function setErrorMessage( required errorMessage, statusCode )

Updated the actual error messages to not returned detailed response. Sometimes, this goes into too much detail, which could be a potential security risk exposing more information than necessary. Maybe this could use the Coldbox inDebugMode() flag to check and add this, but I'm not sure how to wire that up properly at this moment.

Type of change

  • Bug Fix

Checklist

  • My code follows the style guidelines of this project cfformat
  • I have commented my code, particularly in hard-to-understand areas
  • New and existing unit tests pass locally with my changes

@lanechase34
Add missing TokenRejectionException
b14258f 
Update setErrorMessage calls to match spec
Update test to check response message
@lmajano lmajano requested a review from Copilot January 14, 2026 18:09
@lmajano lmajano merged commit fc3f9e6 into coldbox-modules:development Jan 14, 2026
21 checks passed
Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a missing exception handler in the JWT refresh token endpoint and updates error handling to reduce information exposure. The PR adds a catch block for TokenRejectionException thrown when a token is not found in storage, updates setErrorMessage calls to match the current API signature (removing the third parameter), and improves security by removing detailed error messages that could leak implementation details.

Changes:

  • Added TokenRejectionException catch block in handlers/Jwt.cfc to handle tokens rejected by storage validation
  • Updated all setErrorMessage calls to use two-parameter signature (message, statusCode) instead of three
  • Removed detailed error messages (e.g., #e.message#) to prevent information disclosure
  • Enhanced test coverage for invalidated refresh tokens

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
handlers/Jwt.cfc Added missing TokenRejectionException catch block and simplified error messages by removing the third parameter and detailed exception information
test-harness/tests/specs/integration/JWTSpec.cfc Updated test to use a valid token that is then invalidated (instead of an invalid token string) to properly test the TokenRejectionException scenario

test-harness/tests/specs/integration/JWTSpec.cfc
);

var jsonResponse = deserializeJSON( event.getRenderedContent() );
expect( jsonResponse.messages[ 1 ] ).toBe( event.getResponse().getMessagesString() );
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assertion appears redundant - it's comparing the first message from the JSON response to the messages string from the response, which should always match since they're derived from the same source. Consider removing this assertion or clarifying what specific behavior it's validating.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lanechase34 @lmajano