diff options
author | Robert Newson <rnewson@apache.org> | 2020-03-16 17:38:29 +0000 |
---|---|---|
committer | Robert Newson <rnewson@apache.org> | 2020-04-02 18:33:02 +0100 |
commit | eaad1b14ab0e94773645a25db9be0e8b99113957 (patch) | |
tree | 15e23961bacc69a247e7ad7260f460bb7b1f9b51 | |
parent | 6bb69c28a0ea3188086290ef42b0e242617a7342 (diff) | |
download | couchdb-eaad1b14ab0e94773645a25db9be0e8b99113957.tar.gz |
Merge pull request #2668 from apache/jwtf-unknown-checks
Throw if an unknown check is passed to jwtf:decode
-rw-r--r-- | src/jwtf/src/jwtf.erl | 19 | ||||
-rw-r--r-- | src/jwtf/test/jwtf_tests.erl | 4 |
2 files changed, 23 insertions, 0 deletions
diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl index 0bdc0aa1a..b558bdc63 100644 --- a/src/jwtf/src/jwtf.erl +++ b/src/jwtf/src/jwtf.erl @@ -35,6 +35,16 @@ {<<"HS384">>, {hmac, sha384}}, {<<"HS512">>, {hmac, sha512}}]). +-define(CHECKS, [ + alg, + exp, + iat, + iss, + kid, + nbf, + sig, + typ]). + % @doc encode % Encode the JSON Header and Claims using Key and Alg obtained from Header @@ -102,6 +112,7 @@ verification_algorithm(Alg) -> validate(Header0, Payload0, Signature, Checks, KS) -> + validate_checks(Checks), Header1 = props(decode_b64url_json(Header0)), validate_header(Header1, Checks), @@ -112,6 +123,14 @@ validate(Header0, Payload0, Signature, Checks, KS) -> Key = key(Header1, Checks, KS), verify(Alg, Header0, Payload0, Signature, Key). +validate_checks(Checks) when is_list(Checks) -> + UnknownChecks = proplists:get_keys(Checks) -- ?CHECKS, + case UnknownChecks of + [] -> + ok; + UnknownChecks -> + error({unknown_checks, UnknownChecks}) + end. validate_header(Props, Checks) -> validate_typ(Props, Checks), diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl index 222bb4792..e445e5fc9 100644 --- a/src/jwtf/test/jwtf_tests.erl +++ b/src/jwtf/test/jwtf_tests.erl @@ -178,6 +178,10 @@ malformed_token_test() -> ?assertEqual({error, {bad_request, <<"Malformed token">>}}, jwtf:decode(<<"a.b.c.d">>, [], nil)). +unknown_check_test() -> + ?assertError({unknown_checks, [bar, foo]}, + jwtf:decode(<<"a.b.c">>, [exp, foo, iss, bar, exp], nil)). + %% jwt.io generated hs256_test() -> |