You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by me...@apache.org on 2020/11/06 15:48:30 UTC

[apisix] branch master updated: fix(jwt-auth): validate if the claimed secret is base64 encoded. (#2642)

This is an automated email from the ASF dual-hosted git repository.

membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new 2ad7f65  fix(jwt-auth): validate if the claimed secret is base64 encoded. (#2642)
2ad7f65 is described below

commit 2ad7f65659e485fb9fbe218a0ef71b27b844debe
Author: 罗泽轩 <sp...@gmail.com>
AuthorDate: Fri Nov 6 23:48:21 2020 +0800

    fix(jwt-auth): validate if the claimed secret is base64 encoded. (#2642)
---
 apisix/plugins/jwt-auth.lua |  4 ++++
 t/plugin/jwt-auth.t         | 27 +++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua
index 720462d..fd72f38 100644
--- a/apisix/plugins/jwt-auth.lua
+++ b/apisix/plugins/jwt-auth.lua
@@ -108,6 +108,10 @@ function _M.check_schema(conf, schema_type)
     if schema_type == core.schema.TYPE_CONSUMER then
         if conf.algorithm ~= "RS256" and not conf.secret then
             conf.secret = ngx_encode_base64(resty_random.bytes(32, true))
+        elseif conf.base64_secret then
+            if ngx_decode_base64(conf.secret) == nil then
+                return false, "base64_secret required but the secret is not in base64 format"
+            end
         end
 
         if conf.algorithm == "RS256" then
diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t
index af051e1..11c9695 100644
--- a/t/plugin/jwt-auth.t
+++ b/t/plugin/jwt-auth.t
@@ -1113,3 +1113,30 @@ PATCH /apisix/plugin/jwt/sign?key=user-key
 GET /t
 --- response_body_like eval
 qr/property "algorithm" validation failed/
+
+
+
+=== TEST 49: wrong format of secret
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local plugin = require("apisix.plugins.jwt-auth")
+            local ok, err = plugin.check_schema({
+                key = "123",
+                secret = "{^c0j4&]2!=J=",
+                base64_secret = true,
+            }, core.schema.TYPE_CONSUMER)
+            if not ok then
+                ngx.say(err)
+            else
+                ngx.say("done")
+            end
+        }
+    }
+--- response_body
+base64_secret required but the secret is not in base64 format
+--- no_error_log
+[error]
+--- request
+GET /t