Skip to content

fix(auth): Require EdDSA and fix verification #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jan-auer merged 4 commits into from
Dec 5, 2025
Merged

fix(auth): Require EdDSA and fix verification #232

jan-auer merged 4 commits into from
Dec 5, 2025

Conversation

@matt-codecov
Copy link
Contributor

@matt-codecov matt-codecov commented Dec 5, 2025
edited by jan-auer
Loading

There are many different functions you are to use for different types of keys. We are planning to require EdDSA, so we validate the algorithm and switch to using from_ed_pem().

Ref FS-160

@matt-codecov matt-codecov requested a review from a team as a code owner December 5, 2025 01:17
sentry[bot]
sentry bot reviewed Dec 5, 2025
View reviewed changes
matt-codecov
matt-codecov commented Dec 5, 2025
View reviewed changes
objectstore-server/src/auth/context.rs
Comment on lines 129 to 134
if jwt_header.alg != Algorithm::EdDSA {
tracing::warn!(
"JWT signed with unexpected algorithm `{:?}`",
jwt_header.alg
);
}
Copy link
Contributor Author

@matt-codecov matt-codecov Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

different algorithms require a different key constructor. if we see this happening a lot with InvalidKeyErrors, it's a hint that we need to update the match block below to handle more cases

i'd have just done that right now, but some algorithms have keys that come in multiple formats (pem or der, for example) and i don't want to arbitrarily pick one. if we really have to deal with this, it will probably be added to the key stuff in our config

Copy link
Member

@jan-auer jan-auer Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In our spec we said that we require EdDSA, so let's actually fail auth for now if a different algorithm is provided.

@jan-auer
Merge branch 'main' into matt/fix-authz-key-format
5bb99da 
* main:
  feat(server): Implement the new Web API (#230)
sentry[bot]
sentry bot reviewed Dec 5, 2025
View reviewed changes
sentry[bot]
sentry bot reviewed Dec 5, 2025
View reviewed changes
objectstore-server/src/auth/context.rs
Comment on lines +129 to +136
if jwt_header.alg != Algorithm::EdDSA {
tracing::warn!(
algorithm = ?jwt_header.alg,
"JWT signed with unexpected algorithm",
);
let kind = jsonwebtoken::errors::ErrorKind::InvalidAlgorithm;
return Err(AuthError::ValidationFailure(kind.into()));
}

This comment was marked as outdated.

Sign in to view

jan-auer
jan-auer approved these changes Dec 5, 2025
View reviewed changes
Copy link
Member

@jan-auer jan-auer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matt-codecov I've made two changes to the PR:

  1. Require EdDSA. We need to restrict the supported algorithms as per spec.
  2. Log errors for invalid keys but skip them.

For a follow-up: We should process all keys during startup instead of parsing them again for each request. Then, AuthContext can instantiated with a map of ready keys and just has to perform validation.

@jan-auer jan-auer changed the title fix(auth): use correct method for creating jwt DecodingKey fix(auth): Require EdDSA and fix verification Dec 5, 2025
@jan-auer jan-auer enabled auto-merge (squash) December 5, 2025 10:43
@jan-auer jan-auer merged commit 44cf890 into main Dec 5, 2025
37 of 42 checks passed
@jan-auer jan-auer deleted the matt/fix-authz-key-format branch December 5, 2025 10:44
jan-auer added a commit that referenced this pull request Dec 5, 2025
@jan-auer
Merge branch 'main' into matt/client-auth-impl
5b7749d 
* main:
  fix(auth): Require EdDSA and fix verification (#232)
  release: 0.0.14
  feat(server): Implement the new Web API (#230)
@linear
Copy link

linear bot commented Dec 9, 2025

FS-160 Implement (optional) JWT in Server

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-auer jan-auer jan-auer approved these changes

@lcian lcian lcian approved these changes

+1 more reviewer

@sentry sentry[bot] sentry[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@matt-codecov @jan-auer @lcian