Removed whitelist of JWT errors

refs https://linear.app/tryghost/issue/ENG-712/ I don't think we ever need to respond with a 500 here, if the verify call fails, we know that the token is unauthorized for use.
2025-01-20 22:42:53 -05:00 · 2024-03-04 10:58:17 -05:00 · 2024-03-04 10:58:17 -05:00 · d9fb4787ec
commit d9fb4787ec
parent dcbd168585
1 changed files with 5 additions and 10 deletions
--- a/ghost/core/core/server/services/auth/api-key/admin.js
+++ b/ghost/core/core/server/services/auth/api-key/admin.js
@ -159,16 +159,11 @@ const authenticateWithToken = async function apiKeyAuthenticateWithToken(req, re
        try {
            jwt.verify(token, secret, options);
        } catch (err) {
-            if (err.name === 'TokenExpiredError' || err.name === 'JsonWebTokenError' || err.name === 'NotBeforeError') {
-                return next(new errors.UnauthorizedError({
-                    message: tpl(messages.invalidTokenWithMessage, {message: err.message}),
-                    code: 'INVALID_JWT',
-                    err
-                }));
-            }
-
-            // unknown error
-            return next(new errors.InternalServerError({err}));
+            return next(new errors.UnauthorizedError({
+                message: tpl(messages.invalidTokenWithMessage, {message: err.message}),
+                code: 'INVALID_JWT',
+                err
+            }));
        }

        // authenticated OK