fix(authn): add handling of invalid secret

2021-11-25 17:17:44 +08:00 · 2021-11-25 17:17:44 +08:00 · 15654b5b28
parent d88bfdfe14
commit 15654b5b28
1 changed files with 16 additions and 9 deletions
--- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
+++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
@ -201,15 +201,14 @@ create2(#{use_jwks := false,
          secret := Secret0,
          secret_base64_encoded := Base64Encoded,
          verify_claims := VerifyClaims}) ->
-    Secret = case Base64Encoded of
-                 true ->
-                     base64:decode(Secret0);
-                 false ->
-                     Secret0
-             end,
-    JWK = jose_jwk:from_oct(Secret),
-    {ok, #{jwk => JWK,
-           verify_claims => VerifyClaims}};
+    case may_decode_secret(Base64Encoded, Secret0) of
+        {error, Reason} ->
+            {error, Reason};
+        Secret ->
+            JWK = jose_jwk:from_oct(Secret),
+            {ok, #{jwk => JWK,
+                verify_claims => VerifyClaims}}
+    end;                                                                                           

 create2(#{use_jwks := false,
          algorithm := 'public-key',
@ -234,6 +233,14 @@ create2(#{use_jwks := true,
            {error, Reason}
    end.

+may_decode_secret(false, Secret) -> Secret;
+may_decode_secret(true, Secret) ->
+    try base64:decode(Secret)
+    catch
+        error : _ ->
+            {error, {invalid_parameter, Secret}}
+    end.
+
 replace_placeholder(L, Variables) ->
    replace_placeholder(L, Variables, []).