v3.1.2 -- Use latest auth0-php library but also ensure correct algo i…

…s used when decoding.
gdbots · Jan 24, 2024 · 810a8be · 810a8be
1 parent c1d270e
commit 810a8be
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/CHANGELOG-3.x.md b/CHANGELOG-3.x.md
@@ -2,6 +2,10 @@
 This changelog references the relevant changes done in 3.x versions.
 
 
+## v3.1.2
+* Use latest auth0-php library but also ensure correct algo is used when decoding.
+
+
 ## v3.1.1
 * Use latest auth0-php library.
 

diff --git a/src/Security/Auth0JwtDecoder.php b/src/Security/Auth0JwtDecoder.php
@@ -6,6 +6,7 @@
 use Auth0\SDK\Auth0;
 use Auth0\SDK\Configuration\SdkConfiguration;
 use Auth0\SDK\Exception\InvalidTokenException;
+use Auth0\SDK\Token;
 use Gdbots\Schemas\Pbjx\Enum\Code;
 use Psr\Cache\CacheItemPoolInterface;
 
@@ -36,6 +37,22 @@ public function __construct(CacheItemPoolInterface $cache, string $audience, str
 
     public function decode(string $jwt): array
     {
+        $header = json_decode(base64_decode(explode('.', $jwt, 2)[0]), true) ?: [];
+        $alg = $header['alg'] ?? 'unknown';
+
+        switch ($alg) {
+            case Token::ALGO_RS256:
+                $this->auth0->configuration()->setTokenAlgorithm(Token::ALGO_RS256);
+                break;
+
+            case Token::ALGO_HS256:
+                $this->auth0->configuration()->setTokenAlgorithm(Token::ALGO_HS256);
+                break;
+
+            default:
+                throw new InvalidTokenException('Invalid token algorithm.');
+        }
+
         $exception = null;
         foreach ($this->keys as $key) {
             $this->auth0->configuration()->setClientSecret($key);