11951545705

Committed 21 Nov 2024 10:41AM UTC coverage: 89.189% (+1.0%) from 88.235%

Build # 11951545705

Build Type

push

github

Committed by

web-flow

Commit Message

fix: gracefully handle malformed jwk headers (#24)

Fixes an issue where parsing of a proof resulted in a panic if the `jwk`
header was malformed. Now all parsing of the `jwk` header uses safe type
assertions.

- Fixes #23

Run Details

39 of 39 new or added lines in 1 file covered. (100.0%)

264 of 296 relevant lines covered (89.19%)

0.99 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

100.0

/boundtoken.go

package dpop

import "github.com/golang-jwt/jwt/v5"

// These claims contains fields that are required to be present in bound access tokens.
//
// If there is a need for custom claims this can be embedded
// in custom claims to ensure that claims are still possible to validate with the Validate function.
type BoundAccessTokenClaims struct {
        *jwt.RegisteredClaims

        // the `cnf` (Confirmation) claim. See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-6.1
        Confirmation Confirmation `json:"cnf"`
}

type Confirmation struct {
        // the `jkt` (JWK Thumbprint) claim. See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-6.1
        JWKThumbprint string `json:"jkt"`
}

// BoundAccessTokenClaims implements the 'ClaimsValidator' interface from golang-jwt/jwt.
//
// This ensures that bound tokens has the required JWK thumbprint when parsed with 'ParseWithClaims'
func (c *BoundAccessTokenClaims) Validate() error {
        if c.Confirmation.JWKThumbprint == "" {
                return ErrIncorrectAccessTokenClaimsType
        }
        return nil
}

// Implement the BoundClaims interface.
func (c *BoundAccessTokenClaims) GetJWKThumbprint() (string, error) {
        return c.Confirmation.JWKThumbprint, nil
}

// This interface allows for custom claims to be used in bound tokens.
//
// As long as any custom claims extends the 'BoundAccessTokenClaims' they will implement this interface
// and 'Validate' should handle them correctly
type BoundClaims interface {
        jwt.Claims
        GetJWKThumbprint() (string, error)
}

1	package dpop
2
3	import "github.com/golang-jwt/jwt/v5"
4
5	// These claims contains fields that are required to be present in bound access tokens.
6	//
7	// If there is a need for custom claims this can be embedded
8	// in custom claims to ensure that claims are still possible to validate with the Validate function.
9	type BoundAccessTokenClaims struct {
10	*jwt.RegisteredClaims
11
12	// the `cnf` (Confirmation) claim. See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-6.1
13	Confirmation Confirmation `json:"cnf"`
14	}
15
16	type Confirmation struct {
17	// the `jkt` (JWK Thumbprint) claim. See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-6.1
18	JWKThumbprint string `json:"jkt"`
19	}
20
21	// BoundAccessTokenClaims implements the 'ClaimsValidator' interface from golang-jwt/jwt.
22	//
23	// This ensures that bound tokens has the required JWK thumbprint when parsed with 'ParseWithClaims'
24	func (c *BoundAccessTokenClaims) Validate() error {	1✔
25	if c.Confirmation.JWKThumbprint == "" {	2✔
26	return ErrIncorrectAccessTokenClaimsType	1✔
27	}	1✔
28	return nil	1✔
29	}
30
31	// Implement the BoundClaims interface.
32	func (c *BoundAccessTokenClaims) GetJWKThumbprint() (string, error) {	1✔
33	return c.Confirmation.JWKThumbprint, nil	1✔
34	}	1✔
35
36	// This interface allows for custom claims to be used in bound tokens.
37	//
38	// As long as any custom claims extends the 'BoundAccessTokenClaims' they will implement this interface
39	// and 'Validate' should handle them correctly
40	type BoundClaims interface {
41	jwt.Claims
42	GetJWKThumbprint() (string, error)
43	}

AxisCommunications / go-dpop / 11951545705

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous