From 267ce51973856d0e1ea52b6a6ab9f361a2188f89 Mon Sep 17 00:00:00 2001 From: Valentin Tolmer Date: Mon, 30 Aug 2021 08:56:28 +0200 Subject: [PATCH] jwt: Harden check by hardcoding accepted algorithms --- src/infra/auth_service.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/infra/auth_service.rs b/src/infra/auth_service.rs index 8f76b14..b5ab3d3 100644 --- a/src/infra/auth_service.rs +++ b/src/infra/auth_service.rs @@ -365,6 +365,12 @@ pub(crate) fn check_if_token_is_valid( if token.claims().exp.lt(&Utc::now()) { return Err(ErrorUnauthorized("Expired JWT")); } + if token.header().algorithm != jwt::AlgorithmType::Hs512 { + return Err(ErrorUnauthorized(format!( + "Unsupported JWT algorithm: '{:?}'. Supported ones are: ['HS512']", + token.header().algorithm + ))); + } let jwt_hash = { let mut s = DefaultHasher::new(); token_str.hash(&mut s);