You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2020/04/01 14:31:10 UTC
[couchdb] 03/08: Merge pull request #2668 from
apache/jwtf-unknown-checks
This is an automated email from the ASF dual-hosted git repository.
rnewson pushed a commit to branch backport-jwt-3.x
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 9d60b3cd8e4f35d0941504ba2ae494f5385f1275
Author: Robert Newson <rn...@apache.org>
AuthorDate: Mon Mar 16 17:38:29 2020 +0000
Merge pull request #2668 from apache/jwtf-unknown-checks
Throw if an unknown check is passed to jwtf:decode
---
src/jwtf/src/jwtf.erl | 19 +++++++++++++++++++
src/jwtf/test/jwtf_tests.erl | 4 ++++
2 files changed, 23 insertions(+)
diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl
index 0bdc0aa..b558bdc 100644
--- a/src/jwtf/src/jwtf.erl
+++ b/src/jwtf/src/jwtf.erl
@@ -35,6 +35,16 @@
{<<"HS384">>, {hmac, sha384}},
{<<"HS512">>, {hmac, sha512}}]).
+-define(CHECKS, [
+ alg,
+ exp,
+ iat,
+ iss,
+ kid,
+ nbf,
+ sig,
+ typ]).
+
% @doc encode
% Encode the JSON Header and Claims using Key and Alg obtained from Header
@@ -102,6 +112,7 @@ verification_algorithm(Alg) ->
validate(Header0, Payload0, Signature, Checks, KS) ->
+ validate_checks(Checks),
Header1 = props(decode_b64url_json(Header0)),
validate_header(Header1, Checks),
@@ -112,6 +123,14 @@ validate(Header0, Payload0, Signature, Checks, KS) ->
Key = key(Header1, Checks, KS),
verify(Alg, Header0, Payload0, Signature, Key).
+validate_checks(Checks) when is_list(Checks) ->
+ UnknownChecks = proplists:get_keys(Checks) -- ?CHECKS,
+ case UnknownChecks of
+ [] ->
+ ok;
+ UnknownChecks ->
+ error({unknown_checks, UnknownChecks})
+ end.
validate_header(Props, Checks) ->
validate_typ(Props, Checks),
diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl
index 222bb47..e445e5f 100644
--- a/src/jwtf/test/jwtf_tests.erl
+++ b/src/jwtf/test/jwtf_tests.erl
@@ -178,6 +178,10 @@ malformed_token_test() ->
?assertEqual({error, {bad_request, <<"Malformed token">>}},
jwtf:decode(<<"a.b.c.d">>, [], nil)).
+unknown_check_test() ->
+ ?assertError({unknown_checks, [bar, foo]},
+ jwtf:decode(<<"a.b.c">>, [exp, foo, iss, bar, exp], nil)).
+
%% jwt.io generated
hs256_test() ->