revert 'Return HTTP status 400 if missing JWT' (#13) back to returning 401

Author: aldas

jwt.go

@@ -147,8 +147,7 @@ func (e *TokenError) Unwrap() error { return e.Err }
 // JWT returns a JSON Web Token (JWT) auth middleware.
 //
 // For valid token, it sets the user in context and calls next handler.
-// For invalid token, it returns "401 - Unauthorized" error.
-// For missing token, it returns "400 - Bad Request" error.
+// For invalid or missing token, middleware returns "401 - Unauthorized" error.
 //
 // See: https://jwt.io/introduction
 func JWT(signingKey interface{}) echo.MiddlewareFunc {
@@ -158,8 +157,7 @@ func JWT(signingKey interface{}) echo.MiddlewareFunc {
 // WithConfig returns a JSON Web Token (JWT) auth middleware or panics if configuration is invalid.
 //
 // For valid token, it sets the user in context and calls next handler.
-// For invalid token, it returns "401 - Unauthorized" error.
-// For missing token, it returns "400 - Bad Request" error.
+// For invalid or missing token, middleware returns "401 - Unauthorized" error.
 //
 // See: https://jwt.io/introduction
 func WithConfig(config Config) echo.MiddlewareFunc {
@@ -256,7 +254,7 @@ func (config Config) ToMiddleware() (echo.MiddlewareFunc, error) {
 			}
 
 			if lastTokenErr == nil {
-				return echo.NewHTTPError(http.StatusBadRequest, "missing or malformed jwt").SetInternal(err)
+				return echo.NewHTTPError(http.StatusUnauthorized, "missing or malformed jwt").SetInternal(err)
 			}
 
 			return echo.NewHTTPError(http.StatusUnauthorized, "invalid or expired jwt").SetInternal(err)

jwt_test.go

@@ -156,14 +156,14 @@ func TestJWT_combinations(t *testing.T) {
 			config: Config{
 				SigningKey: validKey,
 			},
-			expectError: "code=400, message=missing or malformed jwt, internal=invalid value in request header",
+			expectError: "code=401, message=missing or malformed jwt, internal=invalid value in request header",
 		},
 		{
 			name: "Empty header auth field",
 			config: Config{
 				SigningKey: validKey,
 			},
-			expectError: "code=400, message=missing or malformed jwt, internal=invalid value in request header",
+			expectError: "code=401, message=missing or malformed jwt, internal=invalid value in request header",
 		},
 		{
 			name: "Valid query method",
@@ -180,7 +180,7 @@ func TestJWT_combinations(t *testing.T) {
 				TokenLookup: "query:jwt",
 			},
 			reqURL:      "/?a=b&jwtxyz=" + token,
-			expectError: "code=400, message=missing or malformed jwt, internal=missing value in the query string",
+			expectError: "code=401, message=missing or malformed jwt, internal=missing value in the query string",
 		},
 		{
 			name: "Invalid query param value",
@@ -198,7 +198,7 @@ func TestJWT_combinations(t *testing.T) {
 				TokenLookup: "query:jwt",
 			},
 			reqURL:      "/?a=b",
-			expectError: "code=400, message=missing or malformed jwt, internal=missing value in the query string",
+			expectError: "code=401, message=missing or malformed jwt, internal=missing value in the query string",
 		},
 		{
 			config: Config{
@@ -239,7 +239,7 @@ func TestJWT_combinations(t *testing.T) {
 				SigningKey:  validKey,
 				TokenLookup: "cookie:jwt",
 			},
-			expectError: "code=400, message=missing or malformed jwt, internal=missing value in cookies",
+			expectError: "code=401, message=missing or malformed jwt, internal=missing value in cookies",
 		},
 		{
 			name: "Valid form method",
@@ -264,7 +264,7 @@ func TestJWT_combinations(t *testing.T) {
 				SigningKey:  validKey,
 				TokenLookup: "form:jwt",
 			},
-			expectError: "code=400, message=missing or malformed jwt, internal=missing value in the form",
+			expectError: "code=401, message=missing or malformed jwt, internal=missing value in the form",
 		},
 	}