diff --git a/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/main/java/org/dpppt/backend/sdk/ws/security/DPPTJwtDecoder.java b/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/main/java/org/dpppt/backend/sdk/ws/security/DPPTJwtDecoder.java index fbf53990..249ac74c 100644 --- a/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/main/java/org/dpppt/backend/sdk/ws/security/DPPTJwtDecoder.java +++ b/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/main/java/org/dpppt/backend/sdk/ws/security/DPPTJwtDecoder.java @@ -36,7 +36,7 @@ public void setJwtValidator(OAuth2TokenValidator validator) { @Override public Jwt decode(String token) throws JwtException { try { - var t = parser.parse(token); + var t = parser.parseClaimsJws(token); var headers = t.getHeader(); var claims = (Claims) t.getBody(); diff --git a/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/BaseControllerTest.java b/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/BaseControllerTest.java index e709c123..1a26a954 100644 --- a/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/BaseControllerTest.java +++ b/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/BaseControllerTest.java @@ -143,5 +143,14 @@ protected String createTokenWithScope(OffsetDateTime expiresAt, String scope) { .setSubject("test-subject" + OffsetDateTime.now().withOffsetSameInstant(ZoneOffset.UTC).toString()).setExpiration(Date.from(expiresAt.toInstant())) .setIssuedAt(Date.from(OffsetDateTime.now().withOffsetSameInstant(ZoneOffset.UTC).toInstant())).signWith((Key) privateKey).compact(); } + protected String createMaliciousToken(OffsetDateTime expiresAt) { + Claims claims = Jwts.claims(); + claims.put("scope", "exposed"); + claims.put("onset", "2020-04-20"); + claims.put("fake", "0"); + return Jwts.builder().setClaims(claims).setId(UUID.randomUUID().toString()) + .setSubject("test-subject" + OffsetDateTime.now().withOffsetSameInstant(ZoneOffset.UTC).toString()).setExpiration(Date.from(expiresAt.toInstant())) + .setIssuedAt(Date.from(OffsetDateTime.now().withOffsetSameInstant(ZoneOffset.UTC).toInstant())).compact(); + } } diff --git a/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/GaenControllerTest.java b/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/GaenControllerTest.java index a2c20de0..0d039b5b 100644 --- a/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/GaenControllerTest.java +++ b/dpppt-backend-sdk/dpppt-backend-sdk-ws/src/test/java/org/dpppt/backend/sdk/ws/controller/GaenControllerTest.java @@ -1027,6 +1027,19 @@ public void testEtag() throws Exception { assertTrue(publishedUntil < System.currentTimeMillis(), "Published until must be in the past"); assertNotEquals(expectedEtag, response.getHeader("etag")); } + + @Test + public void testMalciousTokenFails() throws Exception { + var requestList = new GaenRequest(); + List exposedKeys = new ArrayList(); + requestList.setGaenKeys(exposedKeys); + String token = createMaliciousToken(OffsetDateTime.now().withOffsetSameInstant(ZoneOffset.UTC).plusMinutes(5)); + MvcResult response = mockMvc.perform(post("/v1/gaen/exposed") + .contentType(MediaType.APPLICATION_JSON).header("Authorization", "Bearer " + token) + .header("User-Agent", "MockMVC").content(json(requestList))).andExpect(request().asyncNotStarted()).andExpect(status().is(401)).andReturn(); + String authenticateError = response.getResponse().getHeader("www-authenticate"); + assertTrue(authenticateError.contains("Unsigned Claims JWTs are not supported.")); + } private void verifyZipInZipResponse(MockHttpServletResponse response, int expectKeyCount) throws Exception { ByteArrayInputStream baisOuter = new ByteArrayInputStream(response.getContentAsByteArray());