Kilemonn · Kilemonn · May 15, 2026 · May 15, 2026
diff --git a/src/main/kotlin/au/kilemon/messagequeue/filter/JwtAuthenticationFilter.kt b/src/main/kotlin/au/kilemon/messagequeue/filter/JwtAuthenticationFilter.kt
@@ -21,6 +21,7 @@ import org.springframework.stereotype.Component
 import org.springframework.web.filter.OncePerRequestFilter
 import org.springframework.web.servlet.HandlerExceptionResolver
 import java.util.Optional
+import kotlin.jvm.optionals.getOrElse
 
 
 /**
@@ -98,7 +99,7 @@ class JwtAuthenticationFilter: OncePerRequestFilter(), HasLogger
             }
             else if (authenticator.isInHybridMode())
             {
-                LOG.trace("Allowing request through for lower layer to check as authentication is set to [{}].", RestrictionMode.NONE)
+                LOG.trace("Allowing request through for lower layer to check as authentication is set to [{}].", RestrictionMode.HYBRID)
                 filterChain.doFilter(request, response)
             }
             else if (authenticator.isInRestrictedMode())
@@ -110,13 +111,19 @@ class JwtAuthenticationFilter: OncePerRequestFilter(), HasLogger
                 }
                 else
                 {
-                    val token = if (subQueue.isPresent) subQueue.get() else "null"
+                    val token = subQueue.getOrElse{ "null" }
                     LOG.error("Failed to manipulate sub-queue [{}] with provided token as the authentication level is set to [{}].", token, authenticator.getRestrictionMode())
                     handlerExceptionResolver.resolveException(request, response, null, MultiQueueAuthenticationException())
                     return
                 }
             }
         }
+        catch (ex: MultiQueueAuthenticationException)
+        {
+            LOG.error("Provided token is invalid and failed to be verified.", ex)
+            handlerExceptionResolver.resolveException(request, response, null, ex)
+            return
+        }
         finally
         {
             MDC.remove(SUB_QUEUE)

diff --git a/src/test/kotlin/au/kilemon/messagequeue/rest/controller/AuthControllerTest.kt b/src/test/kotlin/au/kilemon/messagequeue/rest/controller/AuthControllerTest.kt
@@ -10,6 +10,7 @@ import au.kilemon.messagequeue.message.QueueMessage
 import au.kilemon.messagequeue.queue.MultiQueue
 import au.kilemon.messagequeue.rest.response.AuthResponse
 import au.kilemon.messagequeue.settings.MessageQueueSettings
+import com.auth0.jwt.interfaces.DecodedJWT
 import com.google.gson.Gson
 import com.google.gson.reflect.TypeToken
 import org.junit.jupiter.api.Assertions
@@ -406,4 +407,37 @@ class AuthControllerTest
         Assertions.assertEquals(restrictedIdentifiers.size, identifiers.size)
         identifiers.forEach { identifier -> Assertions.assertTrue(restrictedIdentifiers.contains(identifier)) }
     }
+
+    /**
+     * Ensure that calls to the remove restriction endpoint with an invalid token fail with an unauthorised error code
+     * even when the queue is in any restriction mode.
+     */
+    @Test
+    fun testRemoveRestrictionFromSubQueue_withInvalidToken_inNoneMode()
+    {
+        Mockito.doReturn(RestrictionMode.NONE).`when`(multiQueueAuthenticator).getRestrictionMode()
+        Assertions.assertEquals(RestrictionMode.NONE, multiQueueAuthenticator.getRestrictionMode())
+
+        val token = "invalid-token"
+        Assertions.assertEquals(Optional.empty<DecodedJWT>(),jwtTokenProvider.verifyTokenForSubQueue(token))
+
+        val request = MockMvcRequestBuilders.post("${AuthController.AUTH_PATH}/some-sub-queue")
+            .header(JwtAuthenticationFilter.AUTHORIZATION_HEADER, "${JwtAuthenticationFilter.BEARER_HEADER_VALUE}${token}")
+            .contentType(MediaType.APPLICATION_JSON_VALUE)
+
+        mockMvc.perform(request)
+            .andExpect(MockMvcResultMatchers.status().isUnauthorized)
+
+        Mockito.doReturn(RestrictionMode.HYBRID).`when`(multiQueueAuthenticator).getRestrictionMode()
+        Assertions.assertEquals(RestrictionMode.HYBRID, multiQueueAuthenticator.getRestrictionMode())
+
+        mockMvc.perform(request)
+            .andExpect(MockMvcResultMatchers.status().isUnauthorized)
+
+        Mockito.doReturn(RestrictionMode.RESTRICTED).`when`(multiQueueAuthenticator).getRestrictionMode()
+        Assertions.assertEquals(RestrictionMode.RESTRICTED, multiQueueAuthenticator.getRestrictionMode())
+
+        mockMvc.perform(request)
+            .andExpect(MockMvcResultMatchers.status().isUnauthorized)
+    }
 }