jwt icon indicating copy to clipboard operation
jwt copied to clipboard

Published 20 hours ago verified publisher icon golang-jwt

Fix bug in validation of multiple audiences

Open sfinnman-cotn opened this issue 6 months ago • 8 comments

In a situation where multiple audiences are validated by the validator, the order of evaluation of the for-range loop affects the result.

If we produce matches such as:

{
  "example.org": true,
  "example.com": false,
}

and we configured the validator to expect a single match on audience, the code would either:

  1. produce "token has invalid audience" if "example.org" was evaluated first

  2. produce a passing result if "example.com" was evaluated first

This commit fixes this bug, and adds a suite of tests as well as regression tests to prevent this issue in future.

sfinnman-cotn avatar May 27 '25 12:05 sfinnman-cotn

There might be! I didn't want to change the implementation too much, since i assume there is a good reason for using a map key lookup as a string comparison function. I don't want to accidentally introduce new bugs with this fix. Ill add the comment as asked for!

sfinnman-cotn avatar May 28 '25 09:05 sfinnman-cotn

There might be! I didn't want to change the implementation too much, since i assume there is a good reason for using a map key lookup as a string comparison function. I don't want to accidentally introduce new bugs with this fix. Ill add the comment as asked for!

I am not really happy with this implementation, so if you have a better way that is easier to maintain, please go ahead!

oxisto avatar May 28 '25 11:05 oxisto

I pushed a rewrite of the method. This implementation is easier to understand, has worse asymptotic complexity, but is probably faster in most real world cases.

sfinnman-cotn avatar May 28 '25 14:05 sfinnman-cotn

I'm a bit unsure what the expectation should be for the required flag, it could mean that there must exist a non-zero value in the aud claim, or just that the aud claim is present. It feels like a bit of a toss-up in terms of what a consumer of the api would expect in behaviour.

sfinnman-cotn avatar May 28 '25 14:05 sfinnman-cotn

I pushed a rewrite of the method. This implementation is easier to understand, has worse asymptotic complexity, but is probably faster in most real world cases.

I think it's much cleaner, thanks!

@mfridman please have a look as well

oxisto avatar Jun 04 '25 09:06 oxisto

What more needs to be done for this to get merged @mfridman @oxisto?

sfinnman-cotn avatar Jun 10 '25 11:06 sfinnman-cotn

@oxisto I'm okay we merge this, and we follow up with any improvements, if any. The only thing I can see is if !required and returning no error on line 252.

mfridman avatar Jun 10 '25 12:06 mfridman

@oxisto I'm okay we merge this, and we follow up with any improvements, if any. The only thing I can see is if !required and returning no error on line 252.

I am currently swamped at work and I need some time to think about this unhindered, I will have a look at this at the weekend, the rest looks good to merge.

oxisto avatar Jun 12 '25 23:06 oxisto

LGTM, thanks for the updates @oxisto

mfridman avatar Jul 01 '25 00:07 mfridman

Can we please have this released?

OrkhanAlikhanov avatar Jul 12 '25 14:07 OrkhanAlikhanov

https://github.com/golang-jwt/jwt/releases/tag/v5.2.3

oxisto avatar Jul 15 '25 10:07 oxisto