Merge pull request #256 from USACE/chore/validate-jwt-alg

Validate jwt method
USACE · Feb 20, 2025 · 001e779 · 001e779
2 parents 50fc586 + fa5ed2f
commit 001e779
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/api/internal/config/server.go b/api/internal/config/server.go
@@ -7,7 +7,7 @@ type ServerConfig struct {
 	AuthJWTMocked           bool     `env:"AUTH_JWT_MOCKED"`
 	AuthAllowEmailSuffixes  []string `env:"AUTH_ALLOW_EMAIL_SUFFIXES"`
 	AuthPublicKey           string   `env:"AUTH_PUBLIC_KEY"`
-	AuthSigningMethod       string   `env:"AUTH_SIGNING_METHOD"`
+	AuthSigningMethod       string   `env:"AUTH_SIGNING_METHOD" envDefault:"RS256"`
 	Debug                   bool     `env:"DEBUG"`
 	ReportDownloadJobMocked bool     `env:"REPORT_DOWNLOAD_JOB_MOCKED"`
 	RequestLoggerEnabled    bool     `env:"REQUEST_LOGGER_ENABLED"`

diff --git a/api/internal/middleware/jwt.go b/api/internal/middleware/jwt.go
@@ -35,7 +35,7 @@ func (m *mw) JWT(ctx huma.Context, next func(huma.Context)) {
 		}
 	default:
 		pub := fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", m.cfg.AuthPublicKey)
-		userJWT, err = parseJWTFromHeader(ctx, pub)
+		userJWT, err = parseJWTFromHeader(ctx, pub, []string{m.cfg.AuthSigningMethod})
 		if err != nil {
 			httperr.SetResponse(ctx, httperr.Forbidden(errors.New("JWT invalid")))
 			return
@@ -48,7 +48,7 @@ func (m *mw) JWT(ctx huma.Context, next func(huma.Context)) {
 	next(ctx)
 }
 
-func parseJWTFromHeader(ctx huma.Context, publicKey string) (*jwt.Token, error) {
+func parseJWTFromHeader(ctx huma.Context, publicKey string, validMethods []string) (*jwt.Token, error) {
 	rawToken, err := getJWTFromHeaderRaw(ctx)
 	if err != nil {
 		return nil, err
@@ -58,7 +58,7 @@ func parseJWTFromHeader(ctx huma.Context, publicKey string) (*jwt.Token, error)
 			return nil, errors.New("unexpected signing method")
 		}
 		return jwt.ParseRSAPublicKeyFromPEM([]byte(publicKey))
-	})
+	}, jwt.WithValidMethods(validMethods))
 	if err != nil {
 		return nil, err
 	}