Fix traversing not matching header algos #545
Conversation
lib/jwt/decode.rb
Outdated
| raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty? | ||
| raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless alg_in_header | ||
| raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless valid_alg_in_header? | ||
|
|
||
| @algos = find_valid_algos_in_header |
There was a problem hiding this comment.
Setting the @algos in the middle of everything feels a little wrong.
We are interested in the intersection between the allowed_algorithms and what is specified in the token header, right?
Could there be a method (maybe a memoizing one) that would be used in the verify_algos and verify_signature_for??
for example
def allowed_and_valid_algorithms
@allowed_and_valid_algorithms ||= allowed_algorithms.select { |alg| alg.valid_alg?(alg_in_header) }
end
|
Hi, I think I get the problem and I don't see a problem filtering the list based on the user provided algorithms. I added a comment on the way the algorithms to be used are resolved. Could you also be so kind and add a changelog entry to |
|
Hey @anakinj thank you for your kind review! I addressed rubocop fails and implemented the |
|
also |
Co-authored-by: Joakim Antman <antmanj@gmail.com>
|
Great improvement. Thank you for the effort. |
|
Hey @anakinj! Thank you for all the support and for reviewing my PR 馃槉 One last thing is don't you mind releasing a new version of |
|
New version out. Have fun with it :) |
Hello ruby-jwt maintainers! Thank you for these amazing tool. 馃檹
Recently in our company we started to thinking of how we could rotate keys with 0 downtime.
I found that
keyfindercan actually return array of keys andruby-jwtwill iterate through these keys until find a matching oneruby-jwt/lib/jwt/decode.rb
Line 47 in 8963312
BUT the problem is that for each key we traverse all allowed algoes in decoder.
Our provider code supports multiple consumers which encodes payload with different
algoes, so the current code can lead to the case when we have matching public key returned as second element in keyfinder but we even don't try to decode the payload with it as we fail with attempt to decode with first key but with incorrect algo.You can find these case in specs and implementation to fix this issue in this PR.