From 968053649b4068acfa61a892830733f5ad2acdac Mon Sep 17 00:00:00 2001
From: Kerollmops <clement@meilisearch.com>
Date: Mon, 14 Mar 2022 16:23:53 +0100
Subject: [PATCH] Change the jsonwebtoken crate usage

---
 .../src/extractors/authentication/mod.rs      | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/meilisearch-http/src/extractors/authentication/mod.rs b/meilisearch-http/src/extractors/authentication/mod.rs
index 0a0d9ecfe..ebd5abf01 100644
--- a/meilisearch-http/src/extractors/authentication/mod.rs
+++ b/meilisearch-http/src/extractors/authentication/mod.rs
@@ -131,7 +131,7 @@ pub trait Policy {
 }
 
 pub mod policies {
-    use jsonwebtoken::{dangerous_insecure_decode, decode, Algorithm, DecodingKey, Validation};
+    use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
     use once_cell::sync::Lazy;
     use serde::{Deserialize, Serialize};
     use time::OffsetDateTime;
@@ -141,10 +141,11 @@ pub mod policies {
     // reexport actions in policies in order to be used in routes configuration.
     pub use meilisearch_auth::actions;
 
-    pub static TENANT_TOKEN_VALIDATION: Lazy<Validation> = Lazy::new(|| Validation {
-        validate_exp: false,
-        algorithms: vec![Algorithm::HS256, Algorithm::HS384, Algorithm::HS512],
-        ..Default::default()
+    pub static TENANT_TOKEN_VALIDATION: Lazy<Validation> = Lazy::new(|| {
+        let mut validation = Validation::default();
+        validation.validate_exp = false;
+        validation.algorithms = vec![Algorithm::HS256, Algorithm::HS384, Algorithm::HS512];
+        validation
     });
 
     pub struct MasterPolicy;
@@ -204,12 +205,19 @@ pub mod policies {
                 return None;
             }
 
+            let mut validation = Validation::default();
+            validation.validate_exp = false;
+            validation.validate_nbf = false;
+            validation.insecure_disable_signature_validation();
+            let dummy_key = DecodingKey::from_secret(b"secret");
+            let token_data = decode::<Claims>(token, &dummy_key, &validation).ok()?;
+
             // get token fields without validating it.
             let Claims {
                 search_rules,
                 exp,
                 api_key_prefix,
-            } = dangerous_insecure_decode::<Claims>(token).ok()?.claims;
+            } = token_data.claims;
 
             // Check index access if an index restriction is provided.
             if let Some(index) = index {