You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/03/27 22:05:00 UTC
[GitHub] [couchdb] rnewson opened a new pull request #2727: Only trust the
servers declaration of JWT key type
rnewson opened a new pull request #2727: Only trust the servers declaration of JWT key type
URL: https://github.com/apache/couchdb/pull/2727
## Overview
We now insist that the server config specifies the key type of the key and use this
when looking up the key for a given token. This prevents the RS256<>HS256 known
attack where an attacker discovers a public key trusted by the server and forges an
HS256 using its encoded form.
## Testing recommendations
Covered by new unit tests.
## Related Issues or Pull Requests
N/A
## Checklist
- [x] Code is written and works correctly
- [x] Changes are covered by tests
- [x] Any new configurable parameters are documented in `rel/overlay/etc/default.ini`
- [ ] A PR for documentation changes has been made in https://github.com/apache/couchdb-documentation
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [couchdb] rnewson merged pull request #2727: Only trust the servers
declaration of JWT key type
Posted by GitBox <gi...@apache.org>.
rnewson merged pull request #2727: Only trust the servers declaration of JWT key type
URL: https://github.com/apache/couchdb/pull/2727
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services