From d625b8e3f37a0a47efcb83ce0fe8080e26673541 Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Mon, 18 Jul 2016 13:27:14 -0500 Subject: [PATCH] Check for "none" alg in JWT signing --- prosody-plugins/token/util.lib.lua | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/prosody-plugins/token/util.lib.lua b/prosody-plugins/token/util.lib.lua index 98b083135..ed5d4eb52 100644 --- a/prosody-plugins/token/util.lib.lua +++ b/prosody-plugins/token/util.lib.lua @@ -21,6 +21,11 @@ local function _verify_token(token, appId, appSecret, roomName, disableRoomNameC return nil, err; end + local alg = claims["alg"]; + if alg ~= nil and (alg == "none" or alg == "") then + return nil, "'alg' claim must not be empty"; + end + local issClaim = claims["iss"]; if issClaim == nil then return nil, "'iss' claim is missing";