From 39b9cc7e741f6b3b9a1f08e7aff8f3e9d0b14325 Mon Sep 17 00:00:00 2001
From: Robert Newson <rnewson@apache.org>
Date: Fri, 13 Mar 2020 10:33:13 +0000
Subject: Enhance alg check

The "alg" check can now take list of algorithms that are supported,
which must be from the valid list of algorithms.
---
 src/jwtf/src/jwtf.erl        |  7 ++++---
 src/jwtf/test/jwtf_tests.erl | 12 +++++++++++-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl
index 8e58e0897..0bdc0aa1a 100644
--- a/src/jwtf/src/jwtf.erl
+++ b/src/jwtf/src/jwtf.erl
@@ -139,10 +139,11 @@ validate_alg(Props, Checks) ->
     case {Required, Alg} of
         {undefined, _} ->
             ok;
-        {true, undefined} ->
+        {Required, undefined} when Required /= undefined ->
             throw({bad_request, <<"Missing alg header parameter">>});
-        {true, Alg} ->
-            case lists:member(Alg, valid_algorithms()) of
+        {Required, Alg} when Required == true; is_list(Required) ->
+            AllowedAlg = if Required == true -> true; true -> lists:member(Alg, Required) end,
+            case AllowedAlg andalso lists:member(Alg, valid_algorithms()) of
                 true ->
                     ok;
                 false ->
diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl
index dcebe5f40..222bb4792 100644
--- a/src/jwtf/test/jwtf_tests.erl
+++ b/src/jwtf/test/jwtf_tests.erl
@@ -82,6 +82,16 @@ invalid_alg_test() ->
     ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
         jwtf:decode(Encoded, [alg], nil)).
 
+not_allowed_alg_test() ->
+    Encoded = encode({[{<<"alg">>, <<"HS256">>}]}, []),
+    ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
+        jwtf:decode(Encoded, [{alg, [<<"RS256">>]}], nil)).
+
+reject_unknown_alg_test() ->
+    Encoded = encode({[{<<"alg">>, <<"NOPE">>}]}, []),
+    ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
+        jwtf:decode(Encoded, [{alg, [<<"NOPE">>]}], nil)).
+
 
 missing_iss_test() ->
     Encoded = encode(valid_header(), {[]}),
@@ -176,7 +186,7 @@ hs256_test() ->
                      "6MTAwMDAwMDAwMDAwMDAsImtpZCI6ImJhciJ9.iS8AH11QHHlczkBn"
                      "Hl9X119BYLOZyZPllOVhSBZ4RZs">>,
     KS = fun(<<"HS256">>, <<"123456">>) -> <<"secret">> end,
-    Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, alg, kid],
+    Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, {alg, [<<"HS256">>]}, kid],
     ?assertMatch({ok, _}, catch jwtf:decode(EncodedToken, Checks, KS)).
 
 
-- 
cgit v1.2.1