fix: prosody: token alg is checked before public key is used

This commit is contained in:
Aaron van Meerten 2021-06-02 11:12:22 -05:00 committed by Дамян Минков
parent fb144a55a3
commit 81c4e9a7fd
1 changed files with 7 additions and 0 deletions

View File

@ -270,6 +270,13 @@ function Util:process_and_verify_token(session, acceptedIssuers)
if kid == nil then
return false, "not-allowed", "'kid' claim is missing";
end
local alg = header["alg"];
if alg == nil then
return false, "not-allowed", "'alg' claim is missing";
end
if alg.sub(alg,1,2) ~= "RS" then
return false, "not-allowed", "'kid' claim only support with RS family";
end
pubKey = self:get_public_key(kid);
if pubKey == nil then
return false, "not-allowed", "could not obtain public key";