You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by me...@apache.org on 2020/11/06 15:48:30 UTC
[apisix] branch master updated: fix(jwt-auth): validate if the
claimed secret is base64 encoded. (#2642)
This is an automated email from the ASF dual-hosted git repository.
membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 2ad7f65 fix(jwt-auth): validate if the claimed secret is base64 encoded. (#2642)
2ad7f65 is described below
commit 2ad7f65659e485fb9fbe218a0ef71b27b844debe
Author: 罗泽轩 <sp...@gmail.com>
AuthorDate: Fri Nov 6 23:48:21 2020 +0800
fix(jwt-auth): validate if the claimed secret is base64 encoded. (#2642)
---
apisix/plugins/jwt-auth.lua | 4 ++++
t/plugin/jwt-auth.t | 27 +++++++++++++++++++++++++++
2 files changed, 31 insertions(+)
diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua
index 720462d..fd72f38 100644
--- a/apisix/plugins/jwt-auth.lua
+++ b/apisix/plugins/jwt-auth.lua
@@ -108,6 +108,10 @@ function _M.check_schema(conf, schema_type)
if schema_type == core.schema.TYPE_CONSUMER then
if conf.algorithm ~= "RS256" and not conf.secret then
conf.secret = ngx_encode_base64(resty_random.bytes(32, true))
+ elseif conf.base64_secret then
+ if ngx_decode_base64(conf.secret) == nil then
+ return false, "base64_secret required but the secret is not in base64 format"
+ end
end
if conf.algorithm == "RS256" then
diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t
index af051e1..11c9695 100644
--- a/t/plugin/jwt-auth.t
+++ b/t/plugin/jwt-auth.t
@@ -1113,3 +1113,30 @@ PATCH /apisix/plugin/jwt/sign?key=user-key
GET /t
--- response_body_like eval
qr/property "algorithm" validation failed/
+
+
+
+=== TEST 49: wrong format of secret
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local plugin = require("apisix.plugins.jwt-auth")
+ local ok, err = plugin.check_schema({
+ key = "123",
+ secret = "{^c0j4&]2!=J=",
+ base64_secret = true,
+ }, core.schema.TYPE_CONSUMER)
+ if not ok then
+ ngx.say(err)
+ else
+ ngx.say("done")
+ end
+ }
+ }
+--- response_body
+base64_secret required but the secret is not in base64 format
+--- no_error_log
+[error]
+--- request
+GET /t