Throw if an unknown check is passed to jwtf:decode

2 files changed, 23 insertions, 0 deletions

diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl
index 0bdc0aa1a..b558bdc63 100644
--- a/src/jwtf/src/jwtf.erl
+++ b/src/jwtf/src/jwtf.erl
@@ -35,6 +35,16 @@
     {<<"HS384">>, {hmac, sha384}},
     {<<"HS512">>, {hmac, sha512}}]).
 
+-define(CHECKS, [
+    alg,
+    exp,
+    iat,
+    iss,
+    kid,
+    nbf,
+    sig,
+    typ]).
+
 
 % @doc encode
 % Encode the JSON Header and Claims using Key and Alg obtained from Header
@@ -102,6 +112,7 @@ verification_algorithm(Alg) ->
 
 
 validate(Header0, Payload0, Signature, Checks, KS) ->
+    validate_checks(Checks),
     Header1 = props(decode_b64url_json(Header0)),
     validate_header(Header1, Checks),
 
@@ -112,6 +123,14 @@ validate(Header0, Payload0, Signature, Checks, KS) ->
     Key = key(Header1, Checks, KS),
     verify(Alg, Header0, Payload0, Signature, Key).
 
+validate_checks(Checks) when is_list(Checks) ->
+    UnknownChecks = proplists:get_keys(Checks) -- ?CHECKS,
+    case UnknownChecks of
+        [] ->
+            ok;
+        UnknownChecks ->
+            error({unknown_checks, UnknownChecks})
+    end.
 
 validate_header(Props, Checks) ->
     validate_typ(Props, Checks),
diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl
index 222bb4792..e445e5fc9 100644
--- a/src/jwtf/test/jwtf_tests.erl
+++ b/src/jwtf/test/jwtf_tests.erl
@@ -178,6 +178,10 @@ malformed_token_test() ->
     ?assertEqual({error, {bad_request, <<"Malformed token">>}},
         jwtf:decode(<<"a.b.c.d">>, [], nil)).
 
+unknown_check_test() ->
+    ?assertError({unknown_checks, [bar, foo]},
+        jwtf:decode(<<"a.b.c">>, [exp, foo, iss, bar, exp], nil)).
+
 
 %% jwt.io generated
 hs256_test() ->