Merge #2237

2237: Update dependencies r=MarinPostma a=Kerollmops This PR upgrade and updates the dependencies of meilisearch, but first I removed three unused dependencies. I used [cargo udeps](https://github.com/est31/cargo-udeps) to detect those and [cargo upgrade](https://github.com/killercup/cargo-edit/blob/master/README.md#available-subcommands) to upgrade ⬆️ ~This PR **must** be merged when https://github.com/meilisearch/milli/pull/465 is merged and then must be updated accordingly i.e. using the latest version of milli.~ Co-authored-by: Kerollmops <clement@meilisearch.com> Co-authored-by: ManyTheFish <many@meilisearch.com>
2025-07-03 11:57:07 +02:00 · 2022-03-17 17:15:19 +00:00 · 2022-03-17 17:15:19 +00:00 · 7e65816d63
commit 7e65816d63
parent d1c0ecceb9 5bffa4b7f9
6 changed files with 186 additions and 408 deletions
--- a/meilisearch-http/src/extractors/authentication/mod.rs
+++ b/meilisearch-http/src/extractors/authentication/mod.rs
@ -131,8 +131,7 @@ pub trait Policy {
 }

 pub mod policies {
-    use jsonwebtoken::{dangerous_insecure_decode, decode, Algorithm, DecodingKey, Validation};
-    use once_cell::sync::Lazy;
+    use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
    use serde::{Deserialize, Serialize};
    use time::OffsetDateTime;

@ -141,11 +140,13 @@ pub mod policies {
    // reexport actions in policies in order to be used in routes configuration.
    pub use meilisearch_auth::actions;

-    pub static TENANT_TOKEN_VALIDATION: Lazy<Validation> = Lazy::new(|| Validation {
-        validate_exp: false,
-        algorithms: vec![Algorithm::HS256, Algorithm::HS384, Algorithm::HS512],
-        ..Default::default()
-    });
+    fn tenant_token_validation() -> Validation {
+        let mut validation = Validation::default();
+        validation.validate_exp = false;
+        validation.required_spec_claims.remove("exp");
+        validation.algorithms = vec![Algorithm::HS256, Algorithm::HS384, Algorithm::HS512];
+        validation
+    }

    pub struct MasterPolicy;

@ -204,12 +205,17 @@ pub mod policies {
                return None;
            }

+            let mut validation = tenant_token_validation();
+            validation.insecure_disable_signature_validation();
+            let dummy_key = DecodingKey::from_secret(b"secret");
+            let token_data = decode::<Claims>(token, &dummy_key, &validation).ok()?;
+
            // get token fields without validating it.
            let Claims {
                search_rules,
                exp,
                api_key_prefix,
-            } = dangerous_insecure_decode::<Claims>(token).ok()?.claims;
+            } = token_data.claims;

            // Check index access if an index restriction is provided.
            if let Some(index) = index {
@ -235,7 +241,7 @@ pub mod policies {
                decode::<Claims>(
                    token,
                    &DecodingKey::from_secret(key.as_bytes()),
-                    &TENANT_TOKEN_VALIDATION,
+                    &tenant_token_validation(),
                )
                .ok()?;