This is an automated email from the ASF dual-hosted git repository. rnewson pushed a commit to branch jwt-exp-by-default in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 1f736f97aa023045ae67927714eb9bda95e1e5ca Author: Robert Newson <[email protected]> AuthorDate: Thu May 16 10:02:23 2024 +0100 JWT: require valid `exp` claim by default Users of JWT rightly expect tokens to be considered invalid once they expire. It is a surprise to some that this requires a change to the default configuration. In the interest of security we will now require a valid `exp` claim in tokens. Administrators can disable the check by changing `required_claims` back to the empty string. We do not add `nbf` as a required claim as it seems to not be set often in practice. closes https://github.com/apache/couchdb/issues/5046 --- rel/overlay/etc/default.ini | 5 ++++- src/couch/src/couch_httpd_auth.erl | 2 +- src/docs/src/whatsnew/3.4.rst | 45 ++++++++++++++++++++++++++++++++++++++ src/docs/src/whatsnew/index.rst | 1 + 4 files changed, 51 insertions(+), 2 deletions(-) diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index 8c345b6af..87265f0d2 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -225,7 +225,10 @@ bind_address = 127.0.0.1 ; List of claims to validate ; can be the name of a claim like "exp" or a tuple if the claim requires ; a parameter -;required_claims = exp, {iss, "IssuerNameHere"} +; Example: +; required_claims = exp, nbf, {iss, "MyCompany"} +; default value if not set; +;required_claims = exp ; roles_claim_name is marked as deprecated. Please use roles_claim_path instead! ; Values for ``roles_claim_name`` can only be top-level attributes in the JWT diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl index 58fd4320c..f5630f5e3 100644 --- a/src/couch/src/couch_httpd_auth.erl +++ b/src/couch/src/couch_httpd_auth.erl @@ -306,7 +306,7 @@ get_roles_claim(Claims) -> end. get_configured_claims() -> - Claims = config:get("jwt_auth", "required_claims", ""), + Claims = config:get("jwt_auth", "required_claims", "exp"), Re = "((?<key1>[a-z]+)|{(?<key2>[a-z]+)\s*,\s*\"(?<val>[^\"]+)\"})", case re:run(Claims, Re, [global, {capture, [key1, key2, val], binary}]) of nomatch when Claims /= "" -> diff --git a/src/docs/src/whatsnew/3.4.rst b/src/docs/src/whatsnew/3.4.rst new file mode 100644 index 000000000..d5fe93f09 --- /dev/null +++ b/src/docs/src/whatsnew/3.4.rst @@ -0,0 +1,45 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + +.. _release/3.4.x: + +============ +3.4.x Branch +============ + +.. contents:: + :depth: 1 + :local: + +.. _release/3.4.0: + +Version 3.4.0 +============= + +* JWT: require valid `exp` claim by default + +.. _release/3.4.x/breakingchanges: + +Breaking Changes +================ + +* :ghissue:`5046`: JWT: require valid `exp` claim by default + + Users of JWT rightly expect tokens to be considered invalid once they expire. It + is a surprise to some that this requires a change to the default + configuration. In the interest of security we will now require a valid `exp` + claim in tokens. Administrators can disable the check by changing + `required_claims` back to the empty string. + + We recommend adding `nbf` as a required claim if you know your tokens will + include it. + diff --git a/src/docs/src/whatsnew/index.rst b/src/docs/src/whatsnew/index.rst index bc92f938f..2d0649dc5 100644 --- a/src/docs/src/whatsnew/index.rst +++ b/src/docs/src/whatsnew/index.rst @@ -20,6 +20,7 @@ Release Notes :glob: :maxdepth: 2 + 3.4 3.3 3.2 3.1
