Joomla! Issue Tracker | Joomla! CMS #45799 - [5.x] API Token Authentication plugin causes fatal ValueError on invalid token algorithm

No Code Attached Yet

Closed
16 Oct 2025
Medium
Build: 5.3-dev
# 45799

MarcelSchuermann
28 Jul 2025

Steps to reproduce the issue

Enable the "API Authentication - Token" plugin in a Joomla 5 installation.
Configure a user with an API token f.e. in Postman.
Make an API request using an Authorization: Bearer <token> header, but provide a token that is deliberately malformed. For example, a token where the algorithm part is invalid (e.g., not-an-algo:123:abc...).
The token can be constructed by base64 encoding a string like [ALGO]:[USER_ID]:[HMAC]. An invalid request can be triggered by using an algorithm that is not sha256 or sha512.

Expected result

The API should respond with a 401 Unauthorized status code and a standard JSON:API error object, indicating that the token is invalid. The server should not produce a fatal error.

Actual result

The server responds with a 500 Internal Server Error. The PHP error log shows a CRITICAL error: Uncaught Throwable of type ValueError thrown with message "hash_hmac(): Argument #1 ($algo) must be a valid cryptographic hashing algorithm".

System information

Joomla! version: 5.3.2 (but also already in 4.x)
PHP version: 8.3 or newer
Database: MariaDb
Web Server: Xampp

Additional comments

This issue occurs because the onUserAuthenticate method in plugins/api-authentication/token/src/Extension/Token.php does not validate the hashing algorithm ($algo) from the token before passing it to the hash_hmac() function. If an invalid algorithm is provided, it causes a fatal ValueError in PHP 8+.

The method should include a check to ensure $algo is in the $this->allowedAlgos array immediately after the token is deconstructed. If the algorithm is not allowed, the method should immediately return to fail the authentication gracefully, which will result in the expected 401 response from the ApiApplication.

A simple fix would be to add the following check after line 179:

// ... after line 165
[$algo, $userId, $tokenHMAC] = $parts;

/**
 * Verify the HMAC algorithm requested in the token string is allowed
 */
$allowedAlgo = \in_array($algo, $this->allowedAlgos);

// If the algorithm is not allowed, fail authentication.
if (!$allowedAlgo) {
    return;
}

And after line 193 $referenceTokenData = base64_decode($referenceTokenData);

if (empty($referenceTokenData)) {
    return;
}

Can someone verify & implement / provide a better solution?
It worked (throwed a correct error 401 response) with my postman test, where I enter a wrong token.

MarcelSchuermann - open - 28 Jul 2025

joomla-cms-bot - change - 28 Jul 2025

Labels

Added: No Code Attached Yet

joomla-cms-bot - labeled - 28 Jul 2025

Satish-Medar - comment - 24 Aug 2025

@joomla-cms-bot I’m happy to work on this issue. Could you please assign it to me?

brianteeman - comment - 24 Aug 2025

@Satish-Medar Thanks for your interest - we do not assign issues. Anyone is free to submit a pull request

richard67 - change - 16 Oct 2025

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2025-10-16 17:21:06
Closed_By		⇒	richard67

richard67 - close - 16 Oct 2025

richard67 - comment - 16 Oct 2025

@MarcelSchuermann Please when you create a pull request for one of your issues, then please close the issue. We close issues here as soon we have a pull request for it. ANd if you already know you will make a pull request then there is no need to create an issue in addition. Thanks in advance.

Closing as having a pull request. See #46305 .

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS