Merge pull request #37 from corbado/36-check-for-empty-issuer

Added check for empty issuer
corbado · Oct 2, 2024 · b3c20a4 · b3c20a4
2 parents bd4ea26 + c60964c
commit b3c20a4
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/internal/services/session/session.go b/internal/services/session/session.go
@@ -136,6 +136,10 @@ func (i *Impl) ValidateToken(shortSession string) (*entities.User, error) {
 }
 
 func (i *Impl) validateIssuer(jwtIssuer string, shortSession string) error {
+	if jwtIssuer == "" {
+		return newValidationError("Issuer is empty", shortSession, validationerror.CodeJWTIssuerEmpty)
+	}
+
 	// Compare to old Frontend API (without .cloud.) to make our Frontend API host name change downwards compatible
 	if jwtIssuer == fmt.Sprintf("https://%s.frontendapi.corbado.io", i.Config.ProjectID) {
 		return nil
@@ -149,7 +153,7 @@ func (i *Impl) validateIssuer(jwtIssuer string, shortSession string) error {
 	// Compare to configured issuer (from FrontendAPI), needed if you set a CNAME for example
 	if jwtIssuer != i.Config.JWTIssuer {
 		return newValidationError(
-			fmt.Sprintf("JWT issuer mismatch (configured trough FrontendAPI: '%s', JWT issuer: '%s')", i.Config.JWTIssuer, jwtIssuer),
+			fmt.Sprintf("Issuer mismatch (configured trough FrontendAPI: '%s', JWT issuer: '%s')", i.Config.JWTIssuer, jwtIssuer),
 			shortSession,
 			validationerror.CodeJWTIssuerMismatch,
 		)

diff --git a/pkg/validationerror/code.go b/pkg/validationerror/code.go
@@ -9,4 +9,5 @@ const (
 	CodeJWTInvalidSignature
 	CodeJWTBefore
 	CodeJWTExpired
+	CodeJWTIssuerEmpty
 )
diff --git a/sdk.go b/sdk.go
@@ -15,7 +15,7 @@ import (
 	"github.com/corbado/corbado-go/v2/pkg/validationerror"
 )
 
-const Version = "2.0.3"
+const Version = "2.1.0"
 
 type SDK interface {
 	Sessions() session.Session

diff --git a/tests/unit/session/session_test.go b/tests/unit/session/session_test.go
@@ -192,6 +192,13 @@ func TestValidateToken(t *testing.T) {
 			validationErrorCode: validationerror.CodeJWTExpired,
 			success:             false,
 		},
+		{
+			name:                "Empty issuer (iss)",
+			issuer:              "https://pro-1.frontendapi.corbado.io",
+			shortSession:        generateJWT("", time.Now().Add(100*time.Second).Unix(), time.Now().Unix(), validPrivateKey),
+			validationErrorCode: validationerror.CodeJWTIssuerEmpty,
+			success:             false,
+		},
 		{
 			name:                "Invalid issuer 1 (iss)",
 			issuer:              "https://pro-1.frontendapi.corbado.io",
@@ -200,7 +207,7 @@ func TestValidateToken(t *testing.T) {
 			success:             false,
 		},
 		{
-			name:                "Invalid issuer 1 (iss)",
+			name:                "Invalid issuer 2 (iss)",
 			issuer:              "https://pro-1.frontendapi.cloud.corbado.io",
 			shortSession:        generateJWT("https://pro-2.frontendapi.corbado.io", time.Now().Add(100*time.Second).Unix(), time.Now().Unix(), validPrivateKey),
 			validationErrorCode: validationerror.CodeJWTIssuerMismatch,