Disable default audience validation also for JWKS (#4495)

This commit is contained in:
Gerard Guillemas Martos 2024-08-12 18:05:19 +02:00 committed by GitHub
parent f8ba01a688
commit d038fb2c7a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 13 additions and 2 deletions

View file

@ -203,7 +203,17 @@ pub(super) async fn config(
// Return verification configuration if a decoding key can be retrieved from the JWK object
match DecodingKey::from_jwk(&jwk) {
Ok(dec) => Ok((dec, Validation::new(alg))),
Ok(dec) => {
let mut val = Validation::new(alg);
// TODO(gguillemas): This keeps the existing behavior as of SurrealDB 2.0.0-alpha.9.
// Up to that point, a fork of the "jsonwebtoken" crate in version 8.3.0 was being used.
// Now that the audience claim is validated by default, we could allow users to leverage this.
// This will most likely involve defining an audience string via "DEFINE ACCESS ... TYPE JWT".
val.validate_aud = false;
Ok((dec, val))
}
Err(err) => {
warn!("Failed to retrieve decoding key from JWK object: '{}'", err);
Err(Error::InvalidAuth) // Return opaque error

View file

@ -60,7 +60,7 @@ fn config(alg: Algorithm, key: &[u8]) -> Result<(DecodingKey, Validation), Error
// TODO(gguillemas): This keeps the existing behavior as of SurrealDB 2.0.0-alpha.9.
// Up to that point, a fork of the "jsonwebtoken" crate in version 8.3.0 was being used.
// Now that the audience claim is validated by default, we should allow users to leverage this.
// Now that the audience claim is validated by default, we could allow users to leverage this.
// This will most likely involve defining an audience string via "DEFINE ACCESS ... TYPE JWT".
val.validate_aud = false;
@ -1801,6 +1801,7 @@ mod tests {
iss: Some("surrealdb-test".to_string()),
iat: Some(Utc::now().timestamp()),
nbf: Some(Utc::now().timestamp()),
aud: Some(Audience::Single("surrealdb-test".to_string())),
exp: Some((Utc::now() + Duration::hours(1)).timestamp()),
ns: Some("test".to_string()),
db: Some("test".to_string()),