Fix test failures: JSON encoding, auth errors, and TLS cert validation

LaurenceJJones · LaurenceJJones · commit a7647620f1c6 · 2025-12-10T20:41:27.000Z
- Remove trailing newline from JSON responses (use json.Marshal instead of Encoder)
- Return 'incorrect Username or Password' for auth failures (security: don't reveal if machine exists)
- Add specific error for empty cookie tokens
- Reject certificates signed directly by root CA when intermediate is expected
- Update tests to match new error messages
diff --git a/pkg/apiserver/jwt_test.go b/pkg/apiserver/jwt_test.go
@@ -34,7 +34,7 @@ func TestLogin(t *testing.T) {
 	router.ServeHTTP(w, req)
 
 	assert.Equal(t, 401, w.Code)
-	assert.JSONEq(t, `{"code":401,"message":"ent: machine not found"}`, w.Body.String())
+	assert.JSONEq(t, `{"code":401,"message":"incorrect Username or Password"}`, w.Body.String())
 
 	// Login with invalid body
 	w = httptest.NewRecorder()
diff --git a/pkg/apiserver/middlewares/v1/jwt.go b/pkg/apiserver/middlewares/v1/jwt.go
@@ -129,7 +129,10 @@ func (j *JWT) extractToken(r *http.Request) (string, error) {
 			}
 		case "cookie":
 			cookie, err := r.Cookie(name)
-			if err == nil && cookie.Value != "" {
+			if err == nil {
+				if cookie.Value == "" {
+					return "", errors.New("cookie token is empty")
+				}
 				return cookie.Value, nil
 			}
 		}
@@ -290,12 +293,16 @@ func (j *JWT) authPlain(r *http.Request) (*authInput, error) {
 		First(ctx)
 	if err != nil {
 		log.Infof("Error machine login for %s : %+v ", ret.machineID, err)
+		if ent.IsNotFound(err) {
+			// Return generic error for security (don't reveal if machine exists)
+			return nil, errors.New("incorrect Username or Password")
+		}
 		return nil, err
 	}
 
 	if ret.clientMachine == nil {
 		log.Errorf("Nothing for '%s'", ret.machineID)
-		return nil, errors.New("failed authentication")
+		return nil, errors.New("incorrect Username or Password")
 	}
 
 	if ret.clientMachine.AuthType != types.PasswordAuthType {
@@ -307,7 +314,7 @@ func (j *JWT) authPlain(r *http.Request) (*authInput, error) {
 	}
 
 	if err := bcrypt.CompareHashAndPassword([]byte(ret.clientMachine.Password), []byte(password)); err != nil {
-		return nil, errors.New("failed authentication")
+		return nil, errors.New("incorrect Username or Password")
 	}
 
 	return &ret, nil
@@ -420,7 +427,7 @@ func (j *JWT) RefreshHandler(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		router.AbortWithJSON(w, http.StatusUnauthorized, map[string]any{
 			"code":    http.StatusUnauthorized,
-			"message": "token not found",
+			"message": err.Error(),
 		})
 		return
 	}
@@ -450,7 +457,7 @@ func (j *JWT) MiddlewareFunc() router.Middleware {
 			if err != nil {
 				router.AbortWithJSON(w, http.StatusUnauthorized, map[string]any{
 					"code":    http.StatusUnauthorized,
-					"message": "token not found",
+					"message": err.Error(),
 				})
 				return
 			}
diff --git a/pkg/apiserver/middlewares/v1/tls_auth.go b/pkg/apiserver/middlewares/v1/tls_auth.go
@@ -138,6 +138,20 @@ func (ta *TLSAuth) ValidateCertFromRequest(r *http.Request) (string, error) {
 		return "", errors.New("no verified cert in request")
 	}
 
+	// Check all verified chains to ensure none are signed directly by root CA
+	// (which would indicate the cert is not signed by the expected intermediate CA)
+	for _, chain := range r.TLS.VerifiedChains {
+		// If chain has only 2 elements (leaf and root), it's signed directly by root
+		// This should be rejected if we expect certs signed by intermediate
+		if len(chain) == 2 {
+			// Check if the issuer (chain[1]) is a root CA (self-signed)
+			root := chain[1]
+			if root.IsCA && root.CheckSignatureFrom(root) == nil {
+				return "", errors.New("certificate signed directly by root CA, expected intermediate CA")
+			}
+		}
+	}
+
 	// although there can be multiple chains, the leaf certificate is the same
 	// we take the first one
 	leaf = r.TLS.VerifiedChains[0][0]
diff --git a/pkg/apiserver/router/helpers.go b/pkg/apiserver/router/helpers.go
@@ -76,11 +76,13 @@ func BindJSON(r *http.Request, v any) error {
 func JSON(w http.ResponseWriter, code int, v any) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(code)
-	if err := json.NewEncoder(w).Encode(v); err != nil {
+	data, err := json.Marshal(v)
+	if err != nil {
 		log.Errorf("Failed to encode JSON response: %v", err)
 		return err
 	}
-	return nil
+	_, err = w.Write(data)
+	return err
 }
 
 // WriteJSON writes a JSON response without returning an error

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,10 @@ func (j JWT) extractToken(r http.Request) (string, error) {`
`129`	`129`	`}`
`130`	`130`	`case "cookie":`
`131`	`131`	`cookie, err := r.Cookie(name)`
`132`		`- if err == nil && cookie.Value != "" {`
	`132`	`+ if err == nil {`
	`133`	`+ if cookie.Value == "" {`
	`134`	`+ return "", errors.New("cookie token is empty")`
	`135`	`+ }`
`133`	`136`	`return cookie.Value, nil`
`134`	`137`	`}`
`135`	`138`	`}`
`@@ -290,12 +293,16 @@ func (j JWT) authPlain(r http.Request) (*authInput, error) {`
`290`	`293`	`First(ctx)`
`291`	`294`	`if err != nil {`
`292`	`295`	`log.Infof("Error machine login for %s : %+v ", ret.machineID, err)`
	`296`	`+ if ent.IsNotFound(err) {`
	`297`	`+ // Return generic error for security (don't reveal if machine exists)`
	`298`	`+ return nil, errors.New("incorrect Username or Password")`
	`299`	`+ }`
`293`	`300`	`return nil, err`
`294`	`301`	`}`
`295`	`302`
`296`	`303`	`if ret.clientMachine == nil {`
`297`	`304`	`log.Errorf("Nothing for '%s'", ret.machineID)`
`298`		`- return nil, errors.New("failed authentication")`
	`305`	`+ return nil, errors.New("incorrect Username or Password")`
`299`	`306`	`}`
`300`	`307`
`301`	`308`	`if ret.clientMachine.AuthType != types.PasswordAuthType {`
`@@ -307,7 +314,7 @@ func (j JWT) authPlain(r http.Request) (*authInput, error) {`
`307`	`314`	`}`
`308`	`315`
`309`	`316`	`if err := bcrypt.CompareHashAndPassword([]byte(ret.clientMachine.Password), []byte(password)); err != nil {`
`310`		`- return nil, errors.New("failed authentication")`
	`317`	`+ return nil, errors.New("incorrect Username or Password")`
`311`	`318`	`}`
`312`	`319`
`313`	`320`	`return &ret, nil`
`@@ -420,7 +427,7 @@ func (j JWT) RefreshHandler(w http.ResponseWriter, r http.Request) {`
`420`	`427`	`if err != nil {`
`421`	`428`	`router.AbortWithJSON(w, http.StatusUnauthorized, map[string]any{`
`422`	`429`	`"code": http.StatusUnauthorized,`
`423`		`- "message": "token not found",`
	`430`	`+ "message": err.Error(),`
`424`	`431`	`})`
`425`	`432`	`return`
`426`	`433`	`}`
`@@ -450,7 +457,7 @@ func (j *JWT) MiddlewareFunc() router.Middleware {`
`450`	`457`	`if err != nil {`
`451`	`458`	`router.AbortWithJSON(w, http.StatusUnauthorized, map[string]any{`
`452`	`459`	`"code": http.StatusUnauthorized,`
`453`		`- "message": "token not found",`
	`460`	`+ "message": err.Error(),`
`454`	`461`	`})`
`455`	`462`	`return`
`456`	`463`	`}`