From 6535eb879c2c5c524179ace8cce719ac6ac76c57 Mon Sep 17 00:00:00 2001
From: JianBo He <heeejianbo@gmail.com>
Date: Wed, 27 Apr 2022 17:27:27 +0800
Subject: [PATCH 1/2] fix(authn-jwt): avoid to save empty claim name

An empty claim_name has not a real meaning and will result in a
syntax error cluster_override.conf. i.e:
```
authentication {
  mechanism = "jwt"
  verify_claims { = "22"}
  ...
}
```
---
 apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
index 58c51facb..c82ec3d0a 100644
--- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
+++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
@@ -441,6 +441,11 @@ check_claim_name(iat) ->
     false;
 check_claim_name(nbf) ->
     false;
+check_claim_name(Name) when
+    Name == <<>>;
+    Name == ""
+->
+    false;
 check_claim_name(_) ->
     true.
 

From e216e0f17fd0a193b46c27eec7b928143f09e195 Mon Sep 17 00:00:00 2001
From: JianBo He <heeejianbo@gmail.com>
Date: Thu, 28 Apr 2022 08:51:20 +0800
Subject: [PATCH 2/2] test(authn): add test for verifing claim name

---
 apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
index f7534b880..bad6d5cc0 100644
--- a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
@@ -342,6 +342,40 @@ t_jwt_authenticator_verify_claims(_) ->
     },
     ?assertMatch({ok, #{is_superuser := false}}, emqx_authn_jwt:authenticate(Credential3, State1)).
 
+t_jwt_not_allow_empty_claim_name(_) ->
+    Request = #{
+        <<"use_jwks">> => false,
+        <<"algorithm">> => <<"hmac-based">>,
+        <<"secret">> => <<"secret">>,
+        <<"mechanism">> => <<"jwt">>
+    },
+    ?assertMatch(
+        {200, _},
+        emqx_authn_api:authenticators(
+            post, #{body => Request}
+        )
+    ),
+
+    ?assertMatch(
+        {400, _},
+        emqx_authn_api:authenticator(
+            put, #{
+                bindings => #{id => <<"jwt">>},
+                body => Request#{<<"verify_claims">> => #{<<>> => <<>>}}
+            }
+        )
+    ),
+
+    ?assertMatch(
+        {200, _},
+        emqx_authn_api:authenticator(
+            put, #{
+                bindings => #{id => <<"jwt">>},
+                body => Request#{<<"verify_claims">> => #{<<"key">> => <<>>}}
+            }
+        )
+    ).
+
 %%------------------------------------------------------------------------------
 %% Helpers
 %%------------------------------------------------------------------------------