diff options
-rw-r--r-- | src/jwtf/src/jwtf.erl | 19 | ||||
-rw-r--r-- | src/jwtf/test/jwtf_tests.erl | 4 |
2 files changed, 23 insertions, 0 deletions
diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl index 0bdc0aa1a..b558bdc63 100644 --- a/src/jwtf/src/jwtf.erl +++ b/src/jwtf/src/jwtf.erl @@ -35,6 +35,16 @@ {<<"HS384">>, {hmac, sha384}}, {<<"HS512">>, {hmac, sha512}}]). +-define(CHECKS, [ + alg, + exp, + iat, + iss, + kid, + nbf, + sig, + typ]). + % @doc encode % Encode the JSON Header and Claims using Key and Alg obtained from Header @@ -102,6 +112,7 @@ verification_algorithm(Alg) -> validate(Header0, Payload0, Signature, Checks, KS) -> + validate_checks(Checks), Header1 = props(decode_b64url_json(Header0)), validate_header(Header1, Checks), @@ -112,6 +123,14 @@ validate(Header0, Payload0, Signature, Checks, KS) -> Key = key(Header1, Checks, KS), verify(Alg, Header0, Payload0, Signature, Key). +validate_checks(Checks) when is_list(Checks) -> + UnknownChecks = proplists:get_keys(Checks) -- ?CHECKS, + case UnknownChecks of + [] -> + ok; + UnknownChecks -> + error({unknown_checks, UnknownChecks}) + end. validate_header(Props, Checks) -> validate_typ(Props, Checks), diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl index 222bb4792..e445e5fc9 100644 --- a/src/jwtf/test/jwtf_tests.erl +++ b/src/jwtf/test/jwtf_tests.erl @@ -178,6 +178,10 @@ malformed_token_test() -> ?assertEqual({error, {bad_request, <<"Malformed token">>}}, jwtf:decode(<<"a.b.c.d">>, [], nil)). +unknown_check_test() -> + ?assertError({unknown_checks, [bar, foo]}, + jwtf:decode(<<"a.b.c">>, [exp, foo, iss, bar, exp], nil)). + %% jwt.io generated hs256_test() -> |