-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using a different algorithm for JWT authentication causes ejabberd_c2s to restart #3890
Comments
Looking at ejabberd/src/ejabberd_auth_jwt.erl Line 124 in fba6518
error:{badarg, _}
You could try a patch like this, to check if ejabberd is able to catch those crashes. In that case, it should be possible to catch it and return some nice response: diff --git a/src/ejabberd_auth_jwt.erl b/src/ejabberd_auth_jwt.erl
index f38600bc7..884cf3d8d 100644
--- a/src/ejabberd_auth_jwt.erl
+++ b/src/ejabberd_auth_jwt.erl
@@ -147,5 +147,9 @@ check_jwt_token(User, Server, Token) ->
false
catch
error:{badarg, _} ->
+ false;
+ A:B ->
+ ?INFO_MSG("jose_jwt:verify failed ~n for: ~p~n with: ~p",
+ [{JWK, Token}, {A, B}]),
false
end.
|
I already fixed the issue locally by replacing |
Ok, I've applied a similar change upstream, but logging the problems at debug level. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environment
Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 13.0.3
Errors from error.log/crash.log
Bug description
If there is a discrepancy between the key algorithm (in my case, EdDSA with Ed25519) configured in
auth_method
and the jwt algorithm sent by the client (here, RS256), ejabberd_c2s crashes (see error above) and closes the connection instead of properly sending anot-authorized
error.The text was updated successfully, but these errors were encountered: