Authorization: Bearer <token>
header, but provide a token that is deliberately malformed. For example, a token where the algorithm part is invalid (e.g., not-an-algo:123:abc...
).[ALGO]:[USER_ID]:[HMAC]
. An invalid request can be triggered by using an algorithm that is not sha256
or sha512
.The API should respond with a 401 Unauthorized
status code and a standard JSON:API error object, indicating that the token is invalid. The server should not produce a fatal error.
The server responds with a 500 Internal Server Error
. The PHP error log shows a CRITICAL
error: Uncaught Throwable of type ValueError thrown with message "hash_hmac(): Argument #1 ($algo) must be a valid cryptographic hashing algorithm"
.
This issue occurs because the onUserAuthenticate
method in plugins/api-authentication/token/src/Extension/Token.php
does not validate the hashing algorithm ($algo
) from the token before passing it to the hash_hmac()
function. If an invalid algorithm is provided, it causes a fatal ValueError
in PHP 8+.
The method should include a check to ensure $algo
is in the $this->allowedAlgos
array immediately after the token is deconstructed. If the algorithm is not allowed, the method should immediately return
to fail the authentication gracefully, which will result in the expected 401
response from the ApiApplication
.
A simple fix would be to add the following check after line 179:
// ... after line 165
[$algo, $userId, $tokenHMAC] = $parts;
/**
* Verify the HMAC algorithm requested in the token string is allowed
*/
$allowedAlgo = \in_array($algo, $this->allowedAlgos);
// If the algorithm is not allowed, fail authentication.
if (!$allowedAlgo) {
return;
}
And after line 193 $referenceTokenData = base64_decode($referenceTokenData);
if (empty($referenceTokenData)) {
return;
}
Can someone verify & implement / provide a better solution?
It worked (throwed a correct error 401 response) with my postman test, where I enter a wrong token.
Labels |
Added:
No Code Attached Yet
|