Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: jwt validation correctly compares the aud with both app id and auth origin #147

Merged
merged 3 commits into from
Dec 20, 2024
Merged

fix: jwt validation correctly compares the aud with both app id and auth origin #147

merged 3 commits into from
Dec 20, 2024

Conversation

ctran88
Copy link
Contributor

@ctran88 ctran88 commented Dec 20, 2024
edited
Loading

What's New?

There was a bug where the validate_jwt method was not using the correct auth origin value when verifying the jwt audience.

The jwt would still pass verification if it was the new structure, since it also includes the app id in the audience array. But it would compare a nil auth origin to the jwt's real auth origin.

  • c86e409 is what minimally fixes the issue
  • d88248c removes the auth origin comparison all together so the audience is only checked against app id (compatible with new jwt structure)

To repro:
Change the expected audience to only check for @auth_origin and run the auth tests. they should error, stating

Passage::PassageError: Invalid audience. Expected [nil], received ["http://localhost:4173", "<app id>"]

where nil is supposed to be the value of @auth_origin

Screenshots (if appropriate):

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have manually tested my code thoroughly
  • I have added/updated inline documentation for public facing interfaces if relevant
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing integration and unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

Additional context

@ctran88 ctran88 marked this pull request as ready for review December 20, 2024 19:39
@ctran88 ctran88 requested a review from a team December 20, 2024 19:39
@ctran88 ctran88 changed the title fix: jwt validation now correctly verifies the audience fix: jwt validation correctly compares the aud with both app id and auth origin Dec 20, 2024
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ctran88 ctran88 merged commit 8b03140 into main Dec 20, 2024
6 checks passed
@ctran88 ctran88 deleted the PSG-5602-fix-jwt-audience-verification branch December 20, 2024 20:28
@github-actions github-actions bot mentioned this pull request Dec 20, 2024
Merged
This was referenced Dec 20, 2024
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bertrmz bertrmz bertrmz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ctran88 @bertrmz