Make typ and alg optional

and make everything truly optional.
author: Robert Newson <rnewson@apache.org> 2017-05-08 19:20:01 +0100
committer: Robert Newson <rnewson@apache.org> 2017-05-08 19:20:01 +0100
commit: d7bd8d16f560d3884a7da68e03b3b4eb62544b26 (patch)
tree: 4ac368e2db6fbde207b0bf422001490c3f2bd2b4
parent: 5b9dad72f40750abb52184d925a15667b29abe1e (diff)
download: couchdb-d7bd8d16f560d3884a7da68e03b3b4eb62544b26.tar.gz
1 files changed, 34 insertions, 16 deletions
diff --git a/src/jwtf.erl b/src/jwtf.erl
index ec4a19ac8..f3f41a686 100644
--- a/src/jwtf.erl
+++ b/src/jwtf.erl
@@ -27,7 +27,7 @@ decode(EncodedToken, Checks, KS) ->
 
 validate(Header0, Payload0, Signature, Checks, KS) ->
     Header1 = props(decode_json(Header0)),
-    validate_header(Header1),
+    validate_header(Header1, Checks),
 
     Payload1 = props(decode_json(Payload0)),
     validate_payload(Payload1, Checks),
@@ -37,17 +37,37 @@ validate(Header0, Payload0, Signature, Checks, KS) ->
     verify(Alg, Header0, Payload0, Signature, Key).
 
 
-validate_header(Props) ->
-    case prop(<<"typ">>, Props) of
-        <<"JWT">> ->
+validate_header(Props, Checks) ->
+    validate_typ(Props, Checks),
+    validate_alg(Props, Checks).
+
+
+validate_typ(Props, Checks) ->
+    Required = prop(typ, Checks),
+    TYP = prop(<<"typ">>, Props),
+    case {Required, TYP} of
+        {undefined, _} ->
             ok;
-        _ ->
+        {true, undefined} ->
+            throw({error, missing_typ});
+        {true, <<"JWT">>} ->
+            ok;
+        {true, _} ->
             throw({error, invalid_typ})
-    end,
-    case prop(<<"alg">>, Props) of
-        <<"RS256">> ->
+    end.
+
+
+validate_alg(Props, Checks) ->
+    Required = prop(alg, Checks),
+    Alg = prop(<<"alg">>, Props),
+    case {Required, Alg} of
+        {undefined, _} ->
             ok;
-        <<"HS256">> ->
+        {true, undefined} ->
+            throw({error, missing_alg});
+        {true, <<"RS256">>} ->
+            ok;
+        {true, <<"HS256">>} ->
             ok;
         _ ->
             throw({error, invalid_alg})
@@ -82,7 +102,7 @@ validate_iat(Props, Checks) ->
     IAT = prop(<<"iat">>, Props),
 
     case {Required, IAT} of
-        {undefined, undefined} ->
+        {undefined, _} ->
             ok;
         {true, undefined} ->
             throw({error, missing_iat});
@@ -96,7 +116,7 @@ validate_nbf(Props, Checks) ->
     NBF = prop(<<"nbf">>, Props),
 
     case {Required, NBF} of
-        {undefined, undefined} ->
+        {undefined, _} ->
             ok;
         {true, undefined} ->
             throw({error, missing_nbf});
@@ -110,7 +130,7 @@ validate_exp(Props, Checks) ->
     EXP = prop(<<"exp">>, Props),
 
     case {Required, EXP} of
-        {undefined, undefined} ->
+        {undefined, _} ->
             ok;
         {true, undefined} ->
             throw({error, missing_exp});
@@ -123,11 +143,9 @@ key(Props, Checks, KS) ->
     Required = prop(kid, Checks),
     KID = prop(<<"kid">>, Props),
     case {Required, KID} of
-        {undefined, undefined} ->
-            KS(undefined);
         {true, undefined} ->
             throw({error, missing_kid});
-        {true, KID} ->
+        {_, KID} ->
             KS(KID)
     end.
 
@@ -308,7 +326,7 @@ hs256_test() ->
                      "sImtpZCI6ImJhciJ9.lpOvEnYLdcujwo9RbhzXme6J-eQ1yfl782qq"
                      "crR6QYE">>,
     KS = fun(_) -> <<"secret">> end,
-    Checks = [{iss, <<"https://foo.com">>}, iat, exp, kid, sig],
+    Checks = [{iss, <<"https://foo.com">>}, iat, exp, kid, sig, typ, alg],
     ?assertMatch({ok, _}, decode(EncodedToken, Checks, KS)).
author	Robert Newson <rnewson@apache.org>	2017-05-08 19:20:01 +0100
committer	Robert Newson <rnewson@apache.org>	2017-05-08 19:20:01 +0100
commit	d7bd8d16f560d3884a7da68e03b3b4eb62544b26 (patch)
tree	4ac368e2db6fbde207b0bf422001490c3f2bd2b4
parent	5b9dad72f40750abb52184d925a15667b29abe1e (diff)
download	couchdb-d7bd8d16f560d3884a7da68e03b3b4eb62544b26.tar.gz