spetz commented on code in PR #2656:
URL: https://github.com/apache/iggy/pull/2656#discussion_r2891358364
##########
core/server/src/http/jwt/jwt_manager.rs:
##########
@@ -232,26 +248,92 @@ impl JwtManager {
.error(|e: &IggyError| {
format!("{COMPONENT} (error: {e}) - failed to save revoked
access token: {id}")
})?;
- self.generate(jwt_claims.claims.sub)
+ let user_id = jwt_claims
+ .claims
+ .sub
+ .parse::<u32>()
+ .map_err(|_| IggyError::InvalidAccessToken)?;
+ self.generate(user_id)
}
- pub fn decode(
+ pub async fn decode(
&self,
token: &str,
algorithm: Algorithm,
) -> Result<TokenData<JwtClaims>, IggyError> {
let validation = self.validations.get(&algorithm);
- if validation.is_none() {
- return Err(IggyError::InvalidJwtAlgorithm(
- Self::map_algorithm_to_string(algorithm),
- ));
- }
+ let kid = jsonwebtoken::decode_header(token).ok().and_then(|h| h.kid);
- let validation = validation.unwrap();
- match jsonwebtoken::decode::<JwtClaims>(token, &self.validator.key,
validation) {
- Ok(claims) => Ok(claims),
- _ => Err(IggyError::Unauthenticated),
- }
+ // try to decode using JWKS if it's a trusted issuer
+ let insecure = match
jsonwebtoken::dangerous::insecure_decode::<JwtClaims>(token) {
+ Ok(claims) => claims,
+ Err(_) => {
+ error!("Failed to decode JWT insecurely");
+ return self.decode_with_fallback(token, validation, algorithm);
+ }
+ };
+
+ /* debug!(
Review Comment:
Let's get rid of any commented out code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
