fix: LoginSTS should be an inline implementation (#11337)

STS tokens can be obtained by using local APIs once the remote JWT token is presented, current code was not validating the incoming token in the first place and was incorrectly making a network operation using that token. For the most part this always works without issues, but under adversarial scenarios it exposes client to hand-craft a request that can reach internal services without authentication. This kind of proxying should be avoided before validating the incoming token.
2025-11-20 18:06:10 -05:00 · 2021-01-25 10:15:03 -08:00
parent 9cdd981ce7
commit eb6871ecd9
2 changed files with 43 additions and 29 deletions
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@@ -2125,6 +2125,12 @@ func toAPIError(ctx context.Context, err error) APIError {
 				HTTPStatusCode: e.Response().StatusCode,
 			}
 			// Add more Gateway SDKs here if any in future.
+		default:
+			apiErr = APIError{
+				Code:           apiErr.Code,
+				Description:    fmt.Sprintf("%s: cause(%v)", apiErr.Description, err),
+				HTTPStatusCode: apiErr.HTTPStatusCode,
+			}
 		}
 	}