this repo has no description
add alg as valid signing method
+6
-4
+6
-4
server.go
+6
-4
server.go
···
194
194
func getRequestUserDID(r *http.Request) (string, error) {
195
195
headerValues := r.Header["Authorization"]
196
196
197
-
slog.Info("header values", "vals", headerValues)
198
-
199
197
if len(headerValues) != 1 {
200
198
return "", fmt.Errorf("missing authorization header")
201
199
}
202
200
token := strings.TrimSpace(strings.Replace(headerValues[0], "Bearer ", "", 1))
203
201
204
-
parsedToken, err := jwt.ParseWithClaims(token, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) {
202
+
validMethods := jwt.WithValidMethods([]string{"alg"})
203
+
204
+
keyfunc := func(token *jwt.Token) (interface{}, error) {
205
205
return token, nil
206
-
})
206
+
}
207
+
208
+
parsedToken, err := jwt.ParseWithClaims(token, jwt.MapClaims{}, keyfunc, validMethods)
207
209
if err != nil {
208
210
return "", fmt.Errorf("invalid token: %s", err)
209
211
}