You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Given a feature were you login using an JWT and get redirected to an URL that is inside the claims of the JWT, when an JWT is expired you are still redirected without logging in.
Because the expiration is checked before the validity of the signature an JWT::ExpiredSignature is raise before the signature is checked. This allows attackers to create a malicious token, with a bogus signature, that is expired but includes a redirect claim making an open redirect.
You could fix it by doing an decode with verify_expiration: false first, before decoding it again with all verifies on true.
Off course, you shouldn't add a feature on expired tokens but I would expect that the validity is checked before the checking the claims. Furthermore, this is just on example where it could go wrong.
It's about this code: https://git.io/votyr
I propose switching it around, verifying the validity of the signature first, and then the claims.
Thanks for the great Gem!
Cheers,
—Koen
The text was updated successfully, but these errors were encountered:
Given a feature were you login using an JWT and get redirected to an URL that is inside the claims of the JWT, when an JWT is expired you are still redirected without logging in.
Because the expiration is checked before the validity of the signature an
JWT::ExpiredSignature
is raise before the signature is checked. This allows attackers to create a malicious token, with a bogus signature, that is expired but includes a redirect claim making an open redirect.You could fix it by doing an decode with
verify_expiration: false
first, before decoding it again with all verifies on true.Off course, you shouldn't add a feature on expired tokens but I would expect that the validity is checked before the checking the claims. Furthermore, this is just on example where it could go wrong.
It's about this code: https://git.io/votyr
I propose switching it around, verifying the validity of the signature first, and then the claims.
Thanks for the great Gem!
Cheers,
—Koen
The text was updated successfully, but these errors were encountered: