github-starred/vikunja
2
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-04-29 11:00:07 -05:00
Code Issues 690 Packages Projects Releases 11 Wiki Activity

fix(auth): use checked type assertions for all JWT claims

Browse Source
This commit is contained in:
kolaente
2026-02-24 20:40:32 +01:00
parent 1b3d8dc59c
commit f3ac0574c0
3 changed files with 31 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/models/link_sharing.go
View File

@@ -96,12 +96,25 @@ func GetLinkShareFromClaims(claims jwt.MapClaims) (share *LinkSharing, err error
return nil, &ErrLinkShareTokenInvalid{}
}
id, is := claims["id"].(float64)
if !is {
return nil, &ErrLinkShareTokenInvalid{}
}
hash, is := claims["hash"].(string)
if !is {
return nil, &ErrLinkShareTokenInvalid{}
}
sharedByID, is := claims["sharedByID"].(float64)
if !is {
return nil, &ErrLinkShareTokenInvalid{}
}
share = &LinkSharing{}
share.ID = int64(claims["id"].(float64))
share.Hash = claims["hash"].(string)
share.ID = int64(id)
share.Hash = hash
share.ProjectID = int64(projectID)
share.Permission = Permission(permissionFloat)
share.SharedByID = int64(claims["sharedByID"].(float64))
share.SharedByID = int64(sharedByID)
return
}

6
pkg/modules/auth/auth.go
View File

@@ -169,7 +169,11 @@ func GetAuthFromClaims(c *echo.Context) (a web.Auth, err error) {
return nil, fmt.Errorf("user in context is not jwt token")
}
claims := jwtinf.Claims.(jwt.MapClaims)
typ := int(claims["type"].(float64))
typFloat, is := claims["type"].(float64)
if !is {
return nil, echo.NewHTTPError(http.StatusBadRequest, "Invalid JWT token.")
}
typ := int(typFloat)
if typ == AuthTypeLinkShare && config.ServiceEnableLinkSharing.GetBool() {
return models.GetLinkShareFromClaims(claims)
}

12
pkg/routes/api/v1/login.go
View File

@@ -130,7 +130,11 @@ func Login(c *echo.Context) (err error) {
func RenewToken(c *echo.Context) (err error) {
jwtinf := c.Get("user").(*jwt.Token)
claims := jwtinf.Claims.(jwt.MapClaims)
typ := int(claims["type"].(float64))
typFloat, is := claims["type"].(float64)
if !is {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid JWT token.")
}
typ := int(typFloat)
if typ == auth.AuthTypeUser {
return echo.NewHTTPError(
@@ -147,7 +151,11 @@ func RenewToken(c *echo.Context) (err error) {
defer s.Close()
share := &models.LinkSharing{}
share.ID = int64(claims["id"].(float64))
idFloat, is := claims["id"].(float64)
if !is {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid JWT token.")
}
share.ID = int64(idFloat)
err = share.ReadOne(s, share)
if err != nil {
_ = s.Rollback()