Remove enhanced alg check

This mechanism is replaced by the much stronger tying of verification
algorithm to the key directly in the server config.

4 files changed, 5 insertions, 22 deletions

diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
index 25f1027d2..24f504726 100644
--- a/rel/overlay/etc/default.ini
+++ b/rel/overlay/etc/default.ini
@@ -143,8 +143,6 @@ max_db_number_for_dbs_info_req = 100
 ;[jwt_auth]
 ; List of claims to validate
 ; required_claims = exp
-; List of algorithms to accept during checks
-; allowed_algorithms = HS256
 ;
 ; [jwt_keys]
 ; Configure at least one key here if using the JWT auth handler.
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index 43fb4161c..4f19728e9 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -192,8 +192,7 @@ jwt_authentication_handler(Req) ->
     case header_value(Req, "Authorization") of
         "Bearer " ++ Jwt ->
             RequiredClaims = get_configured_claims(),
-            AllowedAlgorithms = get_configured_algorithms(),
-            case jwtf:decode(?l2b(Jwt), [{alg, AllowedAlgorithms} | RequiredClaims], fun jwtf_keystore:get/2) of
+            case jwtf:decode(?l2b(Jwt), [alg | RequiredClaims], fun jwtf_keystore:get/2) of
                 {ok, {Claims}} ->
                     case lists:keyfind(<<"sub">>, 1, Claims) of
                         false -> throw({unauthorized, <<"Token missing sub claim.">>});
@@ -208,9 +207,6 @@ jwt_authentication_handler(Req) ->
         _ -> Req
     end.
 
-get_configured_algorithms() ->
-    re:split(config:get("jwt_auth", "allowed_algorithms", "HS256"), "\s*,\s*", [{return, binary}]).
-
 get_configured_claims() ->
     re:split(config:get("jwt_auth", "required_claims", ""), "\s*,\s*", [{return, binary}]).
 
diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl
index b558bdc63..098a41d24 100644
--- a/src/jwtf/src/jwtf.erl
+++ b/src/jwtf/src/jwtf.erl
@@ -158,11 +158,10 @@ validate_alg(Props, Checks) ->
     case {Required, Alg} of
         {undefined, _} ->
             ok;
-        {Required, undefined} when Required /= undefined ->
+        {true, undefined} ->
             throw({bad_request, <<"Missing alg header parameter">>});
-        {Required, Alg} when Required == true; is_list(Required) ->
-            AllowedAlg = if Required == true -> true; true -> lists:member(Alg, Required) end,
-            case AllowedAlg andalso lists:member(Alg, valid_algorithms()) of
+        {true, Alg} ->
+            case lists:member(Alg, valid_algorithms()) of
                 true ->
                     ok;
                 false ->
diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl
index e445e5fc9..df3866f23 100644
--- a/src/jwtf/test/jwtf_tests.erl
+++ b/src/jwtf/test/jwtf_tests.erl
@@ -82,16 +82,6 @@ invalid_alg_test() ->
     ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
         jwtf:decode(Encoded, [alg], nil)).
 
-not_allowed_alg_test() ->
-    Encoded = encode({[{<<"alg">>, <<"HS256">>}]}, []),
-    ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
-        jwtf:decode(Encoded, [{alg, [<<"RS256">>]}], nil)).
-
-reject_unknown_alg_test() ->
-    Encoded = encode({[{<<"alg">>, <<"NOPE">>}]}, []),
-    ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
-        jwtf:decode(Encoded, [{alg, [<<"NOPE">>]}], nil)).
-
 
 missing_iss_test() ->
     Encoded = encode(valid_header(), {[]}),
@@ -190,7 +180,7 @@ hs256_test() ->
                      "6MTAwMDAwMDAwMDAwMDAsImtpZCI6ImJhciJ9.iS8AH11QHHlczkBn"
                      "Hl9X119BYLOZyZPllOVhSBZ4RZs">>,
     KS = fun(<<"HS256">>, <<"123456">>) -> <<"secret">> end,
-    Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, {alg, [<<"HS256">>]}, kid],
+    Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, alg, kid],
     ?assertMatch({ok, _}, catch jwtf:decode(EncodedToken, Checks, KS)).