Fix issues after security audit

Entire-Checkpoint: bc18358a9343
2026-06-06 03:37:29 +02:00 · 2026-06-04 18:33:30 +02:00
parent 58ead40112
commit 6f7e262f3f
7 changed files with 68 additions and 32 deletions
--- a/internal/auth/jwtCookieSession.go
+++ b/internal/auth/jwtCookieSession.go
@@ -9,6 +9,7 @@ import (
 	"crypto/ed25519"
 	"encoding/base64"
 	"errors"
+	"fmt"
 	"net/http"
 	"os"

@@ -119,22 +120,26 @@ func (ja *JWTCookieSessionAuthenticator) Login(
 		rawtoken = jwtCookie.Value
 	}

-	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (any, error) {
-		if t.Method != jwt.SigningMethodEdDSA {
-			return nil, errors.New("only Ed25519/EdDSA supported")
-		}
+	parser := jwt.NewParser(jwt.WithValidMethods([]string{jwt.SigningMethodEdDSA.Alg()}))

-		unvalidatedIssuer, success := t.Claims.(jwt.MapClaims)["iss"].(string)
-		if success && unvalidatedIssuer == jc.TrustedIssuer {
-			// The (unvalidated) issuer seems to be the expected one,
-			// use public cross login key from config
-			return ja.publicKeyCrossLogin, nil
-		}
+	unverified, _, perr := parser.ParseUnverified(rawtoken, jwt.MapClaims{})
+	if perr != nil {
+		cclog.Warn("JWT cookie session: error while parsing token")
+		return nil, perr
+	}
+	issuer, _ := unverified.Claims.(jwt.MapClaims)["iss"].(string)

-		// No cross login key configured or issuer not expected
-		// Try own key
-		return ja.publicKey, nil
-	})
+	var key any
+	switch issuer {
+	case jc.TrustedIssuer:
+		key = ja.publicKeyCrossLogin
+	case "":
+		key = ja.publicKey
+	default:
+		return nil, fmt.Errorf("untrusted JWT issuer: %q", issuer)
+	}
+
+	token, err := parser.Parse(rawtoken, func(*jwt.Token) (any, error) { return key, nil })
 	if err != nil {
 		cclog.Warn("JWT cookie session: error while parsing token")
 		return nil, err