Change the jsonwebtoken crate usage

This commit is contained in:
Kerollmops 2022-03-14 16:23:53 +01:00
parent ac48860bbb
commit 968053649b
No known key found for this signature in database
GPG Key ID: 92ADA4E935E71FA4

View File

@ -131,7 +131,7 @@ pub trait Policy {
}
pub mod policies {
use jsonwebtoken::{dangerous_insecure_decode, decode, Algorithm, DecodingKey, Validation};
use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
use once_cell::sync::Lazy;
use serde::{Deserialize, Serialize};
use time::OffsetDateTime;
@ -141,10 +141,11 @@ pub mod policies {
// reexport actions in policies in order to be used in routes configuration.
pub use meilisearch_auth::actions;
pub static TENANT_TOKEN_VALIDATION: Lazy<Validation> = Lazy::new(|| Validation {
validate_exp: false,
algorithms: vec![Algorithm::HS256, Algorithm::HS384, Algorithm::HS512],
..Default::default()
pub static TENANT_TOKEN_VALIDATION: Lazy<Validation> = Lazy::new(|| {
let mut validation = Validation::default();
validation.validate_exp = false;
validation.algorithms = vec![Algorithm::HS256, Algorithm::HS384, Algorithm::HS512];
validation
});
pub struct MasterPolicy;
@ -204,12 +205,19 @@ pub mod policies {
return None;
}
let mut validation = Validation::default();
validation.validate_exp = false;
validation.validate_nbf = false;
validation.insecure_disable_signature_validation();
let dummy_key = DecodingKey::from_secret(b"secret");
let token_data = decode::<Claims>(token, &dummy_key, &validation).ok()?;
// get token fields without validating it.
let Claims {
search_rules,
exp,
api_key_prefix,
} = dangerous_insecure_decode::<Claims>(token).ok()?.claims;
} = token_data.claims;
// Check index access if an index restriction is provided.
if let Some(index) = index {