fix(controlplane): surface token expiry instead of federated error for expired tokens#3227
Conversation
…r expired tokens An expired Chainloop token presented to an attestation endpoint with federated authentication enabled fell through to the federated provider, which masked the expiry with an unrelated authorization error (e.g. "no issuers configured"). Expired tokens now short-circuit and return the proper expiry error so the CLI reports "your authentication token has expired". Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev> Chainloop-Trace-Sessions: b42ff77f-1a2b-41f5-a09c-cb9a0399bdec
AI Session Analysis
|
| Status | Attribution | File | Lines |
|---|---|---|---|
| modified | ai | app/controlplane/internal/usercontext/attjwtmiddleware/attmiddleware_test.go |
+56 / -0 |
| modified | ai | app/controlplane/internal/usercontext/attjwtmiddleware/attmiddleware.go |
+14 / -0 |
Policies (4, 1 failing)
| Status | Policy | Material | Messages |
|---|---|---|---|
| ✅ Passed | ai-config-ai-agents-allowed |
ai-coding-session-b42ff7 |
- |
| ✅ Passed | ai-config-no-dangerous-commands |
ai-coding-session-b42ff7 |
- |
ai-config-no-secrets |
ai-coding-session-b42ff7 |
|
|
| ✅ Passed | ai-config-mcp-servers-allowed |
ai-coding-session-b42ff7 |
- |
Powered by Chainloop and Chainloop Trace
Summary
Attestation endpoints (
attestation init/add/push/status/reset) support federated authentication. When an expired Chainloop token was presented to one of these endpoints, the JWT middleware fell through to the federated provider, whose response masked the real reason with an unrelated authorization error (e.g.failed to load issuer: authorization error: no issuers configured).This change makes an expired token short-circuit and return the proper expiry error, so the CLI reports
your authentication token has expired, please run "chainloop auth login" again, matching the behavior of non-attestation commands.Fixes #3226
AI assistance
This contribution was assisted by Claude Code.
🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri