From 9764aa3292a58e5a092431a9a8c686d07b700fd8 Mon Sep 17 00:00:00 2001 From: moon Date: Tue, 3 Dec 2024 14:32:07 -0500 Subject: [PATCH] additional verification, better key matching --- lib/balls_pds/jwt.ex | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/balls_pds/jwt.ex b/lib/balls_pds/jwt.ex index 1c0cd49..96fee5b 100644 --- a/lib/balls_pds/jwt.ex +++ b/lib/balls_pds/jwt.ex @@ -10,7 +10,7 @@ defmodule BallsPDS.JWT do generate_jwk(raw_private_key) end - def generate_jwk(raw_private_key) when is_binary(raw_private_key) do + def generate_jwk(<>) do public_key = :crypto.generate_key(:eddsa, :ed25519, raw_private_key) |> elem(0) %{ @@ -91,11 +91,18 @@ defmodule BallsPDS.JWT do public_jwk = Map.drop(jwk, ["d"]) signer = Joken.Signer.create("EdDSA", public_jwk) - Logger.debug("KID: #{get_kid(jwt)}") - case Joken.verify_and_validate(public_jwk, jwt, signer) do {:ok, claims} -> {:ok, claims} {:error, reason} -> {:error, reason} end end + + def verify_jwt(jwt, jwk, subject) when is_binary(subject) do + case verify_jwt(jwt, jwk) do + {:ok, claims = %{"sub" => ^subject}} -> {:ok, claims} + {:ok, %{"sub" => _wrong_subject}} -> {:error, :wrong_subject} + {:ok, _claims} -> {:error, :missing_subject} + error = {:error, _} -> error + end + end end