Skip to content

fix(controlplane): surface token expiry instead of federated error for expired tokens#3227

Merged
migmartri merged 1 commit into
mainfrom
fix/attestation-expired-token-error
Jun 24, 2026
Merged

fix(controlplane): surface token expiry instead of federated error for expired tokens#3227
migmartri merged 1 commit into
mainfrom
fix/attestation-expired-token-error

Conversation

@migmartri

@migmartri migmartri commented Jun 21, 2026

Copy link
Copy Markdown
Member

Summary

Attestation endpoints (attestation init/add/push/status/reset) support federated authentication. When an expired Chainloop token was presented to one of these endpoints, the JWT middleware fell through to the federated provider, whose response masked the real reason with an unrelated authorization error (e.g. failed to load issuer: authorization error: no issuers configured).

This change makes an expired token short-circuit and return the proper expiry error, so the CLI reports your authentication token has expired, please run "chainloop auth login" again, matching the behavior of non-attestation commands.

Fixes #3226

AI assistance

This contribution was assisted by Claude Code.

🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri

Review in cubic

…r expired tokens

An expired Chainloop token presented to an attestation endpoint with federated
authentication enabled fell through to the federated provider, which masked the
expiry with an unrelated authorization error (e.g. "no issuers configured").
Expired tokens now short-circuit and return the proper expiry error so the CLI
reports "your authentication token has expired".

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

Chainloop-Trace-Sessions: b42ff77f-1a2b-41f5-a09c-cb9a0399bdec
@chainloop-platform

chainloop-platform Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

AI Session Analysis

Avg score Sessions Failing policies Attribution Files Lines Total Duration
🟢 81% 1 ⚠️ 1 100% AI / 0% Human 2 +70 / -0 19m4s

🟢 81% — 100% AI — ⚠️ 1 policies failing

Jun 21, 2026 08:50 UTC · 19m4s · $9.55 · 117.7k in / 80.4k out · claude-code 2.1.185 (claude-opus-4-8)

View session details ↗

Change Summary

  • Updates the control-plane JWT middleware so expired user tokens return the expiry error before federated auth masks it.
  • Adds a regression test around expired tokens in attjwtmiddleware.
  • Runs package tests, gofmt, golangci-lint, go build, and go vet, then commits on a feature branch.

AI Session Overall Score

🟢 81% — Bug fix looks solid, but the requested PR was never actually opened.

AI Session Analysis Breakdown

🟢 89% · solution-quality

🟢 AI checked clean main instead of weakening tests when another case broke. · High Impact

🟢 88% · context-and-planning

🟢 AI traced the auth path before editing and used a test-first approach. · High Impact

🟢 86% · verification

🟢 Regression test failed first, then the full middleware suite passed after the fix. · High Impact

🟢 84% · scope-discipline

No notes.

🟢 84% · user-trust-signal

No notes.

🟡 58% · alignment

🔴 User asked for a PR, but the session stopped at a local commit after promising a push. · High Severity

💡 When a task includes PR creation, execute and verify the push and PR steps before declaring completion.


File Attribution

████████████████████ 100% AI / 0% Human

Status Attribution File Lines
modified ai app/controlplane/internal/usercontext/attjwtmiddleware/attmiddleware_test.go +56 / -0
modified ai app/controlplane/internal/usercontext/attjwtmiddleware/attmiddleware.go +14 / -0

Policies (4, 1 failing)

Status Policy Material Messages
✅ Passed ai-config-ai-agents-allowed ai-coding-session-b42ff7 -
✅ Passed ai-config-no-dangerous-commands ai-coding-session-b42ff7 -
⚠️ Failed ai-config-no-secrets ai-coding-session-b42ff7
  • Potential secret (JWT) found in session content [turn=141, source=tool_result, line=105, value=eyJhbGci...Fs6Y]
  • Potential secret (JWT) found in session content [turn=141, source=tool_result, line=110, value=eyJ0eXAi...bHbo]
  • Potential secret (JWT) found in session content [turn=141, source=tool_result, line=98, value=eyJ0eXAi...XOys]
✅ Passed ai-config-mcp-servers-allowed ai-coding-session-b42ff7 -

Powered by Chainloop and Chainloop Trace

@migmartri migmartri requested a review from a team June 21, 2026 09:11

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

@migmartri migmartri merged commit b80aa21 into main Jun 24, 2026
15 of 16 checks passed
@migmartri migmartri deleted the fix/attestation-expired-token-error branch June 24, 2026 01:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Attestation commands show misleading error for expired user token

2 participants