Remove enhanced alg check
This mechanism is replaced by the much stronger tying of verification
algorithm to the key directly in the server config.
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
index 25f1027..24f5047 100644
--- a/rel/overlay/etc/default.ini
+++ b/rel/overlay/etc/default.ini
@@ -143,8 +143,6 @@
;[jwt_auth]
; List of claims to validate
; required_claims = exp
-; List of algorithms to accept during checks
-; allowed_algorithms = HS256
;
; [jwt_keys]
; Configure at least one key here if using the JWT auth handler.
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index 43fb416..4f19728 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -192,8 +192,7 @@
case header_value(Req, "Authorization") of
"Bearer " ++ Jwt ->
RequiredClaims = get_configured_claims(),
- AllowedAlgorithms = get_configured_algorithms(),
- case jwtf:decode(?l2b(Jwt), [{alg, AllowedAlgorithms} | RequiredClaims], fun jwtf_keystore:get/2) of
+ case jwtf:decode(?l2b(Jwt), [alg | RequiredClaims], fun jwtf_keystore:get/2) of
{ok, {Claims}} ->
case lists:keyfind(<<"sub">>, 1, Claims) of
false -> throw({unauthorized, <<"Token missing sub claim.">>});
@@ -208,9 +207,6 @@
_ -> Req
end.
-get_configured_algorithms() ->
- re:split(config:get("jwt_auth", "allowed_algorithms", "HS256"), "\s*,\s*", [{return, binary}]).
-
get_configured_claims() ->
re:split(config:get("jwt_auth", "required_claims", ""), "\s*,\s*", [{return, binary}]).
diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl
index b558bdc..098a41d 100644
--- a/src/jwtf/src/jwtf.erl
+++ b/src/jwtf/src/jwtf.erl
@@ -158,11 +158,10 @@
case {Required, Alg} of
{undefined, _} ->
ok;
- {Required, undefined} when Required /= undefined ->
+ {true, undefined} ->
throw({bad_request, <<"Missing alg header parameter">>});
- {Required, Alg} when Required == true; is_list(Required) ->
- AllowedAlg = if Required == true -> true; true -> lists:member(Alg, Required) end,
- case AllowedAlg andalso lists:member(Alg, valid_algorithms()) of
+ {true, Alg} ->
+ case lists:member(Alg, valid_algorithms()) of
true ->
ok;
false ->
diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl
index e445e5f..df3866f 100644
--- a/src/jwtf/test/jwtf_tests.erl
+++ b/src/jwtf/test/jwtf_tests.erl
@@ -82,16 +82,6 @@
?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
jwtf:decode(Encoded, [alg], nil)).
-not_allowed_alg_test() ->
- Encoded = encode({[{<<"alg">>, <<"HS256">>}]}, []),
- ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
- jwtf:decode(Encoded, [{alg, [<<"RS256">>]}], nil)).
-
-reject_unknown_alg_test() ->
- Encoded = encode({[{<<"alg">>, <<"NOPE">>}]}, []),
- ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
- jwtf:decode(Encoded, [{alg, [<<"NOPE">>]}], nil)).
-
missing_iss_test() ->
Encoded = encode(valid_header(), {[]}),
@@ -190,7 +180,7 @@
"6MTAwMDAwMDAwMDAwMDAsImtpZCI6ImJhciJ9.iS8AH11QHHlczkBn"
"Hl9X119BYLOZyZPllOVhSBZ4RZs">>,
KS = fun(<<"HS256">>, <<"123456">>) -> <<"secret">> end,
- Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, {alg, [<<"HS256">>]}, kid],
+ Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, alg, kid],
?assertMatch({ok, _}, catch jwtf:decode(EncodedToken, Checks, KS)).
