No Code Attached Yet
avatar MarcelSchuermann
MarcelSchuermann
28 Jul 2025

Steps to reproduce the issue

  1. Enable the "API Authentication - Token" plugin in a Joomla 5 installation.
  2. Configure a user with an API token f.e. in Postman.
  3. Make an API request using an Authorization: Bearer <token> header, but provide a token that is deliberately malformed. For example, a token where the algorithm part is invalid (e.g., not-an-algo:123:abc...).
  4. The token can be constructed by base64 encoding a string like [ALGO]:[USER_ID]:[HMAC]. An invalid request can be triggered by using an algorithm that is not sha256 or sha512.

Expected result

The API should respond with a 401 Unauthorized status code and a standard JSON:API error object, indicating that the token is invalid. The server should not produce a fatal error.

Actual result

The server responds with a 500 Internal Server Error. The PHP error log shows a CRITICAL error: Uncaught Throwable of type ValueError thrown with message "hash_hmac(): Argument #1 ($algo) must be a valid cryptographic hashing algorithm".

System information

  • Joomla! version: 5.3.2 (but also already in 4.x)
  • PHP version: 8.3 or newer
  • Database: MariaDb
  • Web Server: Xampp

Additional comments

This issue occurs because the onUserAuthenticate method in plugins/api-authentication/token/src/Extension/Token.php does not validate the hashing algorithm ($algo) from the token before passing it to the hash_hmac() function. If an invalid algorithm is provided, it causes a fatal ValueError in PHP 8+.

The method should include a check to ensure $algo is in the $this->allowedAlgos array immediately after the token is deconstructed. If the algorithm is not allowed, the method should immediately return to fail the authentication gracefully, which will result in the expected 401 response from the ApiApplication.

A simple fix would be to add the following check after line 179:

// ... after line 165
[$algo, $userId, $tokenHMAC] = $parts;

/**
 * Verify the HMAC algorithm requested in the token string is allowed
 */
$allowedAlgo = \in_array($algo, $this->allowedAlgos);

// If the algorithm is not allowed, fail authentication.
if (!$allowedAlgo) {
    return;
}

And after line 193 $referenceTokenData = base64_decode($referenceTokenData);

if (empty($referenceTokenData)) {
    return;
}

Can someone verify & implement / provide a better solution?
It worked (throwed a correct error 401 response) with my postman test, where I enter a wrong token.

avatar MarcelSchuermann MarcelSchuermann - open - 28 Jul 2025
avatar joomla-cms-bot joomla-cms-bot - change - 28 Jul 2025
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 28 Jul 2025

Add a Comment

Login with GitHub to post a comment