[GitHub] [couchdb] rnewson opened a new pull request #2727: Only trust the servers declaration of JWT key type

[GitBox <gi...@apache.org>]

rnewson opened a new pull request #2727: Only trust the servers declaration of JWT key type
URL: https://github.com/apache/couchdb/pull/2727
 
 
   ## Overview
   
   We now insist that the server config specifies the key type of the key and use this
   when looking up the key for a given token. This prevents the RS256<>HS256 known
   attack where an attacker discovers a public key trusted by the server and forges an
   HS256 using its encoded form.
   
   ## Testing recommendations
   
   Covered by new unit tests.
   
   ## Related Issues or Pull Requests
   
   N/A
   
   ## Checklist
   
   - [x] Code is written and works correctly
   - [x] Changes are covered by tests
   - [x] Any new configurable parameters are documented in `rel/overlay/etc/default.ini`
   - [ ] A PR for documentation changes has been made in https://github.com/apache/couchdb-documentation
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [couchdb] rnewson merged pull request #2727: Only trust the servers declaration of JWT key type

[GitBox <gi...@apache.org>]

rnewson merged pull request #2727: Only trust the servers declaration of JWT key type
URL: https://github.com/apache/couchdb/pull/2727
 
 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services