From 1d48c78b178736522482cd069ec01b036186127f Mon Sep 17 00:00:00 2001 From: Robert Newson Date: Thu, 16 May 2024 14:53:47 +0100 Subject: [PATCH] JWT: require valid `exp` claim by default Users of JWT rightly expect tokens to be considered invalid once they expire. It is a surprise to some that this requires a change to the default configuration. In the interest of security we will now require a valid `exp` claim in tokens. Administrators can disable the check by changing `required_claims` back to the empty string. We do not add `nbf` as a required claim as it seems to not be set often in practice. closes https://github.com/apache/couchdb/issues/5046 --- rel/overlay/etc/default.ini | 5 ++++- src/couch/src/couch_httpd_auth.erl | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index 8c345b6af77..87265f0d208 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -225,7 +225,10 @@ bind_address = 127.0.0.1 ; List of claims to validate ; can be the name of a claim like "exp" or a tuple if the claim requires ; a parameter -;required_claims = exp, {iss, "IssuerNameHere"} +; Example: +; required_claims = exp, nbf, {iss, "MyCompany"} +; default value if not set; +;required_claims = exp ; roles_claim_name is marked as deprecated. Please use roles_claim_path instead! ; Values for ``roles_claim_name`` can only be top-level attributes in the JWT diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl index 58fd4320c32..f5630f5e397 100644 --- a/src/couch/src/couch_httpd_auth.erl +++ b/src/couch/src/couch_httpd_auth.erl @@ -306,7 +306,7 @@ get_roles_claim(Claims) -> end. get_configured_claims() -> - Claims = config:get("jwt_auth", "required_claims", ""), + Claims = config:get("jwt_auth", "required_claims", "exp"), Re = "((?[a-z]+)|{(?[a-z]+)\s*,\s*\"(?[^\"]+)\"})", case re:run(Claims, Re, [global, {capture, [key1, key2, val], binary}]) of nomatch when Claims /= "" ->