buddy-sign icon indicating copy to clipboard operation
buddy-sign copied to clipboard
verified publisher icon funcool

Buddy JWT doesn't support the NONE algorithm

Open vincentjames501 opened this issue 2 years ago • 0 comments

It would be nice if buddy supported the NONE algorithm to just implement the spec. I fully understand closing this since use of the NONE algorithm is discouraged and can lead to vulnerabilities if not careful though but I don't think the way buddy is currently implemented that it would be problematic as someone would explicitly need to pass {:alg :none} into the options for both signing and "unsigning".

(-> {:foo "bar"}
    (jwt/sign nil {:alg :none})
    (jwt/unsign nil {:alg :none}))
=> {:foo "bar"}

Example workaround:

(extend-protocol buddy.sign.util/IKeyProvider
  nil
  (resolve-key [key header] nil))

(alter-var-root #'buddy.sign.jws/+signers-map+
                (constantly (assoc buddy.sign.jws/+signers-map+
                              :none
                              {:signer   (constantly (byte-array 0))
                               :verifier (fn [_authdata sig _key] (= (count sig) 0))})))

vincentjames501 avatar Jun 19 '23 17:06 vincentjames501