minor tweeks from code review

This commit is contained in:
Rick Watson 2019-06-03 21:05:02 +01:00
parent fec3b3aeae
commit 3157b7d3ef
2 changed files with 7 additions and 13 deletions

View File

@ -60,21 +60,18 @@ void ArduinoJsonJWT::parseJWT(String jwt, JsonDocument &jsonDocument) {
// clear json document before we begin, jsonDocument wil be null on failure // clear json document before we begin, jsonDocument wil be null on failure
jsonDocument.clear(); jsonDocument.clear();
// must be of minimum length or greater
if (jwt.length() <= JWT_SIG_SIZE + JWT_HEADER_SIZE + 2) {
return;
}
// must have the correct header and delimiter // must have the correct header and delimiter
if (!jwt.startsWith(JWT_HEADER) || jwt.indexOf('.') != JWT_HEADER_SIZE) { if (!jwt.startsWith(JWT_HEADER) || jwt.indexOf('.') != JWT_HEADER_SIZE) {
return; return;
} }
// must have signature of correct length
int signatureDelimiterIndex = jwt.length() - JWT_SIG_SIZE - 1; // check there is a signature delimieter
if (jwt.lastIndexOf('.') != signatureDelimiterIndex) { int signatureDelimiterIndex = jwt.lastIndexOf('.');
if (signatureDelimiterIndex == JWT_HEADER_SIZE) {
return; return;
} }
// signature must be correct // check the signature is valid
String signature = jwt.substring(signatureDelimiterIndex + 1); String signature = jwt.substring(signatureDelimiterIndex + 1);
jwt = jwt.substring(0, signatureDelimiterIndex); jwt = jwt.substring(0, signatureDelimiterIndex);
if (sign(jwt) != signature){ if (sign(jwt) != signature){

View File

@ -11,17 +11,14 @@
#include <bearssl/bearssl_hmac.h> #include <bearssl/bearssl_hmac.h>
#endif #endif
#define JWT_HEADER_SIZE 36
#define JWT_SIG_SIZE 43
class ArduinoJsonJWT { class ArduinoJsonJWT {
private: private:
String _secret; String _secret;
// {"alg": "HS256", "typ": "JWT"}
const String JWT_HEADER = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"; const String JWT_HEADER = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
const size_t JWT_HEADER_SIZE = JWT_HEADER.length();
String sign(String &value); String sign(String &value);
static String encode(const char *cstr, int len); static String encode(const char *cstr, int len);