From 5f8f8562602969701b604980289a87977e0e4c5f Mon Sep 17 00:00:00 2001
From: Nick Meves <nick.meves@greenhouse.io>
Date: Thu, 26 Nov 2020 11:47:44 -0800
Subject: [PATCH] Remove failed bearer tokens from logs

---
 pkg/middleware/jwt_session.go      | 14 ++++++++------
 pkg/middleware/jwt_session_test.go |  4 ++--
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/pkg/middleware/jwt_session.go b/pkg/middleware/jwt_session.go
index f9e137e8..0510c72a 100644
--- a/pkg/middleware/jwt_session.go
+++ b/pkg/middleware/jwt_session.go
@@ -1,6 +1,7 @@
 package middleware
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"regexp"
@@ -9,7 +10,7 @@ import (
 	middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
 	sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
-	"k8s.io/apimachinery/pkg/util/errors"
+	k8serrors "k8s.io/apimachinery/pkg/util/errors"
 )
 
 const jwtRegexFormat = `^ey[IJ][a-zA-Z0-9_-]*\.ey[IJ][a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+$`
@@ -70,17 +71,18 @@ func (j *jwtSessionLoader) getJwtSession(req *http.Request) (*sessionsapi.Sessio
 		return nil, err
 	}
 
-	errs := []error{fmt.Errorf("unable to verify jwt token: %q", req.Header.Get("Authorization"))}
+	// This leading error message only occurs if all session loaders fail
+	errs := []error{errors.New("unable to verify bearer token")}
 	for _, loader := range j.sessionLoaders {
 		session, err := loader(req.Context(), token)
-		if err == nil {
-			return session, nil
-		} else {
+		if err != nil {
 			errs = append(errs, err)
+			continue
 		}
+		return session, nil
 	}
 
-	return nil, errors.NewAggregate(errs)
+	return nil, k8serrors.NewAggregate(errs)
 }
 
 // findTokenFromHeader finds a valid JWT token from the Authorization header of a given request.
diff --git a/pkg/middleware/jwt_session_test.go b/pkg/middleware/jwt_session_test.go
index aac5d5af..cd34c5ad 100644
--- a/pkg/middleware/jwt_session_test.go
+++ b/pkg/middleware/jwt_session_test.go
@@ -225,7 +225,7 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
 			Entry("Bearer <nonVerifiedToken>", getJWTSessionTableInput{
 				authorizationHeader: fmt.Sprintf("Bearer %s", nonVerifiedToken),
 				expectedErr: k8serrors.NewAggregate([]error{
-					errors.New("unable to verify jwt token: \"Bearer eyJfoobar.eyJfoobar.12345asdf\""),
+					errors.New("unable to verify bearer token"),
 					errors.New("oidc: malformed jwt: illegal base64 data at input byte 8"),
 				}),
 				expectedSession: nil,
@@ -238,7 +238,7 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
 			Entry("Basic Base64(<nonVerifiedToken>:) (No password)", getJWTSessionTableInput{
 				authorizationHeader: "Basic ZXlKZm9vYmFyLmV5SmZvb2Jhci4xMjM0NWFzZGY6",
 				expectedErr: k8serrors.NewAggregate([]error{
-					errors.New("unable to verify jwt token: \"Basic ZXlKZm9vYmFyLmV5SmZvb2Jhci4xMjM0NWFzZGY6\""),
+					errors.New("unable to verify bearer token"),
 					errors.New("oidc: malformed jwt: illegal base64 data at input byte 8"),
 				}),
 				expectedSession: nil,