Description
When authenticating with a token whose issuer (iss claim) does not match a valid JWKS issuer, the server returns a response containing a full stack trace in the body. This appears to be unintended — invalid/expired tokens return a short, descriptive error instead. Question here: should it return a short error response as it returns with expired token error message ?
Steps to Reproduce
curl --data '[]' \
-H 'Accept: text/plain' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjIwMjYtMDMtMjVUMTg6MTc6NTAuMDMwWiJ9.eyJzdWIiOiJqd2tzIiwiaXNzIjoiZmlsZTovLy9hcHAvcHVibGljL2NyYXRlcy9jb3JlL3NyYy9hdXRoL3Rva2VuX3ZhbGlkYXRpb24ucnM_aWdub3JlPSIsImlhdCI6MTc3ODAzODIwNywiZXhwIjoxODA5NTk1ODA3fQ.LajSpDhc2BZ4b6_L0TzC577rVHtBIcthjJbX3_w0mLYEIiu7fAs8GtF9SWgc2Je1Zm8BDSGzLpCBgiitHLm-kA' \
https://maincloud.spacetimedb.com/v1/database/test/call/any_procedure
Description
When authenticating with a token whose issuer (
issclaim) does not match a valid JWKS issuer, the server returns a response containing a full stack trace in the body. This appears to be unintended — invalid/expired tokens return a short, descriptive error instead. Question here: should it return a short error response as it returns with expired token error message ?Steps to Reproduce