From 97c379dad2ca042c6b2fc915c7dcc2b22e7569e3 Mon Sep 17 00:00:00 2001 From: Brian Martin Date: Tue, 12 Apr 2022 13:48:10 -0700 Subject: [PATCH] fix: resolve cargo audit errors from jsonwebtoken (#44) Resolves the cargo audit errors by upgrading jsonwebtoken to 8.0.1 and making necessary code changes. Fixes #40 --- Cargo.toml | 2 +- src/jwt.rs | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index bbcf810f..9c4157d6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,7 +17,7 @@ prost = "0.9.0" rustls = { version = "0.19.1", features = ["dangerous_configuration"] } webpki = "0.21.3" tower = "0.4.8" -jsonwebtoken = "7" +jsonwebtoken = "8.0.1" serde = {version = "1.0", features = ["derive"] } serde_json = "1.0.79" base64-url = "1.4.13" diff --git a/src/jwt.rs b/src/jwt.rs index 850bf1ea..4c1a8d2c 100644 --- a/src/jwt.rs +++ b/src/jwt.rs @@ -1,4 +1,4 @@ -use jsonwebtoken::dangerous_insecure_decode; +use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation}; use serde::{Deserialize, Serialize}; use crate::response::error::MomentoError; @@ -16,7 +16,16 @@ pub fn decode_jwt(jwt: &str) -> Result { "Malformed Auth Token".to_string(), )); } - let token = dangerous_insecure_decode::(jwt)?; + let key = DecodingKey::from_secret("".as_ref()); + let mut validation = Validation::new(Algorithm::HS256); + validation.required_spec_claims.clear(); + validation.required_spec_claims.insert("sub".to_string()); + validation.required_spec_claims.insert("c".to_string()); + validation.required_spec_claims.insert("cp".to_string()); + validation.validate_exp = false; + validation.insecure_disable_signature_validation(); + let token = decode(jwt, &key, &validation)?; + Ok(token.claims) }