fix: prosody: token alg is checked before public key is used
This commit is contained in:
parent
fb144a55a3
commit
81c4e9a7fd
|
@ -270,6 +270,13 @@ function Util:process_and_verify_token(session, acceptedIssuers)
|
|||
if kid == nil then
|
||||
return false, "not-allowed", "'kid' claim is missing";
|
||||
end
|
||||
local alg = header["alg"];
|
||||
if alg == nil then
|
||||
return false, "not-allowed", "'alg' claim is missing";
|
||||
end
|
||||
if alg.sub(alg,1,2) ~= "RS" then
|
||||
return false, "not-allowed", "'kid' claim only support with RS family";
|
||||
end
|
||||
pubKey = self:get_public_key(kid);
|
||||
if pubKey == nil then
|
||||
return false, "not-allowed", "could not obtain public key";
|
||||
|
|
Loading…
Reference in New Issue