adhere to jwt/v4 security recommendation: "validate the alg presented is what you expect"

2025-05-13 21:10:24 -04:00 · 2025-05-13 21:10:24 -04:00 · 6e6beab914
commit 6e6beab914
parent 07fe90ff5f
1 changed files with 2 additions and 1 deletions
--- a/http/auth.go
+++ b/http/auth.go
@ -87,7 +87,8 @@ func withUser(fn handleFunc) handleFunc {
 		}

 		var tk authToken
-		token, err := request.ParseFromRequest(r, &extractor{}, keyFunc, request.WithClaims(&tk))
+		p := jwt.NewParser(jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Alg()}))
+		token, err := request.ParseFromRequest(r, &extractor{}, keyFunc, request.WithClaims(&tk), request.WithParser(p))

 		if (err != nil || !token.Valid) && !renewableErr(err, d) {
 			return http.StatusUnauthorized, nil