You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2020/04/01 14:31:09 UTC

[couchdb] 02/08: Merge pull request #2661 from apache/jwtf-enhance-alg-check

This is an automated email from the ASF dual-hosted git repository.

rnewson pushed a commit to branch backport-jwt-3.x
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 9814772f483b80288432647df3f8f3dc6b410949
Author: Robert Newson <rn...@apache.org>
AuthorDate: Fri Mar 13 18:03:07 2020 +0000

    Merge pull request #2661 from apache/jwtf-enhance-alg-check
    
    Enhance alg check
---
 src/jwtf/src/jwtf.erl        |  7 ++++---
 src/jwtf/test/jwtf_tests.erl | 12 +++++++++++-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl
index 8e58e08..0bdc0aa 100644
--- a/src/jwtf/src/jwtf.erl
+++ b/src/jwtf/src/jwtf.erl
@@ -139,10 +139,11 @@ validate_alg(Props, Checks) ->
     case {Required, Alg} of
         {undefined, _} ->
             ok;
-        {true, undefined} ->
+        {Required, undefined} when Required /= undefined ->
             throw({bad_request, <<"Missing alg header parameter">>});
-        {true, Alg} ->
-            case lists:member(Alg, valid_algorithms()) of
+        {Required, Alg} when Required == true; is_list(Required) ->
+            AllowedAlg = if Required == true -> true; true -> lists:member(Alg, Required) end,
+            case AllowedAlg andalso lists:member(Alg, valid_algorithms()) of
                 true ->
                     ok;
                 false ->
diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl
index dcebe5f..222bb47 100644
--- a/src/jwtf/test/jwtf_tests.erl
+++ b/src/jwtf/test/jwtf_tests.erl
@@ -82,6 +82,16 @@ invalid_alg_test() ->
     ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
         jwtf:decode(Encoded, [alg], nil)).
 
+not_allowed_alg_test() ->
+    Encoded = encode({[{<<"alg">>, <<"HS256">>}]}, []),
+    ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
+        jwtf:decode(Encoded, [{alg, [<<"RS256">>]}], nil)).
+
+reject_unknown_alg_test() ->
+    Encoded = encode({[{<<"alg">>, <<"NOPE">>}]}, []),
+    ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
+        jwtf:decode(Encoded, [{alg, [<<"NOPE">>]}], nil)).
+
 
 missing_iss_test() ->
     Encoded = encode(valid_header(), {[]}),
@@ -176,7 +186,7 @@ hs256_test() ->
                      "6MTAwMDAwMDAwMDAwMDAsImtpZCI6ImJhciJ9.iS8AH11QHHlczkBn"
                      "Hl9X119BYLOZyZPllOVhSBZ4RZs">>,
     KS = fun(<<"HS256">>, <<"123456">>) -> <<"secret">> end,
-    Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, alg, kid],
+    Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, {alg, [<<"HS256">>]}, kid],
     ?assertMatch({ok, _}, catch jwtf:decode(EncodedToken, Checks, KS)).