fix(jwt): deny requests that have different tokens in the jwt token search locations.

CHANGELOG.md

@@ -69,9 +69,16 @@
 
 ## Unreleased
 
+### Breaking Changes
+
+#### Plugins
+
+- **JWT**: JWT plugin now denies a request that has different tokens in the jwt token search locations.
+  [#9946](https://github.com/Kong/kong/pull/9946)
+
 ### Additions
 
-### Plugins
+#### Plugins
 
 - **Zipkin**: Add support to set the durations of Kong phases as span tags
   through configuration property `config.phase_duration_flavor`.
@@ -94,6 +101,8 @@
 
 - **Zipkin**: Fix an issue where the global plugin's sample ratio overrides route-specific.
   [#9877](https://github.com/Kong/kong/pull/9877)
+- **JWT**: Deny requests that have different tokens in the jwt token search locations. Thanks Jackson 'Che-Chun' Kuo from Latacora for reporting this issue.
+  [#9946](https://github.com/Kong/kong/pull/9946)
 
 ### Dependencies
 

kong/plugins/jwt/handler.lua

@@ -8,6 +8,7 @@ local kong = kong
 local type = type
 local error = error
 local ipairs = ipairs
+local pairs = pairs
 local tostring = tostring
 local re_gmatch = ngx.re.gmatch
 
@@ -24,19 +25,30 @@ local JwtHandler = {
 -- @param conf Plugin configuration
 -- @return token JWT token contained in request (can be a table) or nil
 -- @return err
-local function retrieve_token(conf)
+local function retrieve_tokens(conf)
+  local token_set = {}
   local args = kong.request.get_query()
   for _, v in ipairs(conf.uri_param_names) do
-    if args[v] then
-      return args[v]
+    local token = args[v] -- can be a table
+    if token then
+      if type(token) == "table" then
+        for _, t in ipairs(token) do
+          if t ~= "" then
+            token_set[t] = true
+          end
+        end
+
+      elseif token ~= "" then
+        token_set[token] = true
+      end
     end
   end
 
   local var = ngx.var
   for _, v in ipairs(conf.cookie_names) do
     local cookie = var["cookie_" .. v]
     if cookie and cookie ~= "" then
-      return cookie
+      token_set[cookie] = true
     end
   end
 
@@ -60,10 +72,29 @@ local function retrieve_token(conf)
       end
 
       if m and #m > 0 then
-        return m[1]
+        if m[1] ~= "" then
+          token_set[m[1]] = true
+        end
       end
     end
   end
+
+  local tokens_n = 0
+  local tokens = {}
+  for token, _ in pairs(token_set) do
+    tokens_n = tokens_n + 1
+    tokens[tokens_n] = token
+  end
+
+  if tokens_n == 0 then
+    return nil
+  end
+
+  if tokens_n == 1 then
+    return tokens[1]
+  end
+
+  return tokens
 end
 
 
@@ -117,7 +148,7 @@ end
 
 
 local function do_authentication(conf)
-  local token, err = retrieve_token(conf)
+  local token, err = retrieve_tokens(conf)
   if err then
     return error(err)
   end

spec/03-plugins/16-jwt/03-access_spec.lua

@@ -396,6 +396,21 @@ for _, strategy in helpers.each_strategy() do
         assert.falsy(ok)
         assert.match("Code: Unauthenticated", err)
       end)
+
+      it("reject if multiple different tokens found", function()
+        PAYLOAD.iss = jwt_secret.key
+        local jwt = jwt_encoder.encode(PAYLOAD, jwt_secret.secret)
+        local res = assert(proxy_client:send {
+          method  = "GET",
+          path    = "/request?jwt=" .. jwt,
+          headers = {
+            ["Authorization"] = "Bearer invalid.jwt.token",
+            ["Host"]          = "jwt1.com",
+          }
+        })
+        local body = cjson.decode(assert.res_status(401, res))
+        assert.same({ message = "Multiple tokens provided" }, body)
+      end)
     end)
 
     describe("HS256", function()