You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2020/04/01 14:31:10 UTC

[couchdb] 03/08: Merge pull request #2668 from apache/jwtf-unknown-checks

This is an automated email from the ASF dual-hosted git repository.

rnewson pushed a commit to branch backport-jwt-3.x
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 9d60b3cd8e4f35d0941504ba2ae494f5385f1275
Author: Robert Newson <rn...@apache.org>
AuthorDate: Mon Mar 16 17:38:29 2020 +0000

    Merge pull request #2668 from apache/jwtf-unknown-checks
    
    Throw if an unknown check is passed to jwtf:decode
---
 src/jwtf/src/jwtf.erl        | 19 +++++++++++++++++++
 src/jwtf/test/jwtf_tests.erl |  4 ++++
 2 files changed, 23 insertions(+)

diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl
index 0bdc0aa..b558bdc 100644
--- a/src/jwtf/src/jwtf.erl
+++ b/src/jwtf/src/jwtf.erl
@@ -35,6 +35,16 @@
     {<<"HS384">>, {hmac, sha384}},
     {<<"HS512">>, {hmac, sha512}}]).
 
+-define(CHECKS, [
+    alg,
+    exp,
+    iat,
+    iss,
+    kid,
+    nbf,
+    sig,
+    typ]).
+
 
 % @doc encode
 % Encode the JSON Header and Claims using Key and Alg obtained from Header
@@ -102,6 +112,7 @@ verification_algorithm(Alg) ->
 
 
 validate(Header0, Payload0, Signature, Checks, KS) ->
+    validate_checks(Checks),
     Header1 = props(decode_b64url_json(Header0)),
     validate_header(Header1, Checks),
 
@@ -112,6 +123,14 @@ validate(Header0, Payload0, Signature, Checks, KS) ->
     Key = key(Header1, Checks, KS),
     verify(Alg, Header0, Payload0, Signature, Key).
 
+validate_checks(Checks) when is_list(Checks) ->
+    UnknownChecks = proplists:get_keys(Checks) -- ?CHECKS,
+    case UnknownChecks of
+        [] ->
+            ok;
+        UnknownChecks ->
+            error({unknown_checks, UnknownChecks})
+    end.
 
 validate_header(Props, Checks) ->
     validate_typ(Props, Checks),
diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl
index 222bb47..e445e5f 100644
--- a/src/jwtf/test/jwtf_tests.erl
+++ b/src/jwtf/test/jwtf_tests.erl
@@ -178,6 +178,10 @@ malformed_token_test() ->
     ?assertEqual({error, {bad_request, <<"Malformed token">>}},
         jwtf:decode(<<"a.b.c.d">>, [], nil)).
 
+unknown_check_test() ->
+    ?assertError({unknown_checks, [bar, foo]},
+        jwtf:decode(<<"a.b.c">>, [exp, foo, iss, bar, exp], nil)).
+
 
 %% jwt.io generated
 hs256_test() ->