Description
When get_current_user() in security.py receives an expired JWT token, jwt.decode() raises jwt.ExpiredSignatureError. This is caught by a bare except Exception and the client receives a generic 401 "Invalid token" response. The client cannot distinguish between:
- Token is malformed/tampered → "Invalid token"
- Token is expired → should be "Token expired — please re-login"
This forces clients to always show a generic "session expired" message instead of a targeted re-auth prompt.
Affected Files
backend/app/security.py:60-65
Current code
try:
user_id = decode_access_token(credentials.credentials)
except Exception: # catches ExpiredSignatureError too!
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token"
)Expected Behavior
Catch jwt.ExpiredSignatureError and jwt.InvalidTokenError explicitly and return distinguishable error messages:
"Token has expired — please log in again" for expired tokens"Invalid token" for tampered/malformed tokens
Labels
type:bug, level:intermediate, gssoc2026
Description
When
get_current_user()insecurity.pyreceives an expired JWT token,jwt.decode()raisesjwt.ExpiredSignatureError. This is caught by a bareexcept Exceptionand the client receives a generic 401 "Invalid token" response. The client cannot distinguish between:This forces clients to always show a generic "session expired" message instead of a targeted re-auth prompt.
Affected Files
backend/app/security.py:60-65Current code
Expected Behavior
Catch
jwt.ExpiredSignatureErrorandjwt.InvalidTokenErrorexplicitly and return distinguishable error messages:"Token has expired — please log in again"for expired tokens"Invalid token"for tampered/malformed tokensLabels
type:bug, level:intermediate, gssoc2026