You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2020/04/01 14:31:09 UTC
[couchdb] 02/08: Merge pull request #2661 from
apache/jwtf-enhance-alg-check
This is an automated email from the ASF dual-hosted git repository.
rnewson pushed a commit to branch backport-jwt-3.x
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 9814772f483b80288432647df3f8f3dc6b410949
Author: Robert Newson <rn...@apache.org>
AuthorDate: Fri Mar 13 18:03:07 2020 +0000
Merge pull request #2661 from apache/jwtf-enhance-alg-check
Enhance alg check
---
src/jwtf/src/jwtf.erl | 7 ++++---
src/jwtf/test/jwtf_tests.erl | 12 +++++++++++-
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl
index 8e58e08..0bdc0aa 100644
--- a/src/jwtf/src/jwtf.erl
+++ b/src/jwtf/src/jwtf.erl
@@ -139,10 +139,11 @@ validate_alg(Props, Checks) ->
case {Required, Alg} of
{undefined, _} ->
ok;
- {true, undefined} ->
+ {Required, undefined} when Required /= undefined ->
throw({bad_request, <<"Missing alg header parameter">>});
- {true, Alg} ->
- case lists:member(Alg, valid_algorithms()) of
+ {Required, Alg} when Required == true; is_list(Required) ->
+ AllowedAlg = if Required == true -> true; true -> lists:member(Alg, Required) end,
+ case AllowedAlg andalso lists:member(Alg, valid_algorithms()) of
true ->
ok;
false ->
diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl
index dcebe5f..222bb47 100644
--- a/src/jwtf/test/jwtf_tests.erl
+++ b/src/jwtf/test/jwtf_tests.erl
@@ -82,6 +82,16 @@ invalid_alg_test() ->
?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
jwtf:decode(Encoded, [alg], nil)).
+not_allowed_alg_test() ->
+ Encoded = encode({[{<<"alg">>, <<"HS256">>}]}, []),
+ ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
+ jwtf:decode(Encoded, [{alg, [<<"RS256">>]}], nil)).
+
+reject_unknown_alg_test() ->
+ Encoded = encode({[{<<"alg">>, <<"NOPE">>}]}, []),
+ ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
+ jwtf:decode(Encoded, [{alg, [<<"NOPE">>]}], nil)).
+
missing_iss_test() ->
Encoded = encode(valid_header(), {[]}),
@@ -176,7 +186,7 @@ hs256_test() ->
"6MTAwMDAwMDAwMDAwMDAsImtpZCI6ImJhciJ9.iS8AH11QHHlczkBn"
"Hl9X119BYLOZyZPllOVhSBZ4RZs">>,
KS = fun(<<"HS256">>, <<"123456">>) -> <<"secret">> end,
- Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, alg, kid],
+ Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, {alg, [<<"HS256">>]}, kid],
?assertMatch({ok, _}, catch jwtf:decode(EncodedToken, Checks, KS)).