This link was provided to me in another discussion with a good discussion on how JWT’s can be compromised if you are not checking the encryption type.
They link the following best practices which seem pretty straight forward.
I have looked at the Joken code but can’t find the code for verify or validate to see what it is actually doing. Perhaps this is in JOSE from the sound of it?
https://github.com/joken-elixir/joken/tree/de299190741a7991dd2e66da98ec3f9d91fda737/lib
I wrote the following to do my own “pre-authentication” of tokens before Joken.verify_and_validate. Any obvious flaw? If it can be written better I’m open, as I’m still learning Elixir coding. My method here is just to nil the token if it fails (my preferred system for simpllicity).
Failure is (1) not being a three piece string, (2) not having RS256 set as “alg”, (3) having a “kid” (which can bypass the encryption method set by “alg” and I am not using) that is not nil.
Is this necessary though? Is Joken already checking this? Where is the source code for what Joken does?
token = if is_binary(token) do
case String.split(token, ".") do
[header, _, _] ->
header
|> Base.decode64()
|> case do
{:ok, decoded} ->
header_map = Jason.decode(decoded); # returns {:ok, map} if works
case (header_map) do
{:ok, map} ->
if Map.get(map, "alg" ) == "RS256" && Map.get(map, "kid") == nil do
IO.puts("TOKEN FOUND AS RS256")
token
else
nil #not rs256 or has kid set to value
end
_->
nil #json not decoded as map
end
_ -> nil # failed to base64 decode header
end
_ ->
nil # not three piece string
end
else
nil # not binary
end
Thanks.