-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix traversing not matching header algos #545
Fix traversing not matching header algos #545
Conversation
lib/jwt/decode.rb
Outdated
raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty? | ||
raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless alg_in_header | ||
raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless valid_alg_in_header? | ||
|
||
@algos = find_valid_algos_in_header |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting the @algos
in the middle of everything feels a little wrong.
We are interested in the intersection between the allowed_algorithms and what is specified in the token header, right?
Could there be a method (maybe a memoizing one) that would be used in the verify_algos
and verify_signature_for?
?
for example
def allowed_and_valid_algorithms
@allowed_and_valid_algorithms ||= allowed_algorithms.select { |alg| alg.valid_alg?(alg_in_header) }
end
Hi, I think I get the problem and I don't see a problem filtering the list based on the user provided algorithms. I added a comment on the way the algorithms to be used are resolved. Could you also be so kind and add a changelog entry to |
Hey @anakinj thank you for your kind review! I addressed rubocop fails and implemented the |
also |
Co-authored-by: Joakim Antman <antmanj@gmail.com>
Great improvement. Thank you for the effort. |
Hey @anakinj! Thank you for all the support and for reviewing my PR 馃槉 One last thing is don't you mind releasing a new version of |
New version out. Have fun with it :) |
Hello ruby-jwt maintainers! Thank you for these amazing tool. 馃檹
Recently in our company we started to thinking of how we could rotate keys with 0 downtime.
I found that
keyfinder
can actually return array of keys andruby-jwt
will iterate through these keys until find a matching oneruby-jwt/lib/jwt/decode.rb
Line 47 in 8963312
BUT the problem is that for each key we traverse all allowed algoes in decoder.
Our provider code supports multiple consumers which encodes payload with different
algo
es, so the current code can lead to the case when we have matching public key returned as second element in keyfinder but we even don't try to decode the payload with it as we fail with attempt to decode with first key but with incorrect algo.You can find these case in specs and implementation to fix this issue in this PR.