From f3ac0574c0950eb4210c82242ebe77e41c453828 Mon Sep 17 00:00:00 2001 From: kolaente Date: Tue, 24 Feb 2026 20:40:32 +0100 Subject: [PATCH] fix(auth): use checked type assertions for all JWT claims --- pkg/models/link_sharing.go | 19 ++++++++++++++++--- pkg/modules/auth/auth.go | 6 +++++- pkg/routes/api/v1/login.go | 12 ++++++++++-- 3 files changed, 31 insertions(+), 6 deletions(-) diff --git a/pkg/models/link_sharing.go b/pkg/models/link_sharing.go index 23cdbaa15..ee98324fc 100644 --- a/pkg/models/link_sharing.go +++ b/pkg/models/link_sharing.go @@ -96,12 +96,25 @@ func GetLinkShareFromClaims(claims jwt.MapClaims) (share *LinkSharing, err error return nil, &ErrLinkShareTokenInvalid{} } + id, is := claims["id"].(float64) + if !is { + return nil, &ErrLinkShareTokenInvalid{} + } + hash, is := claims["hash"].(string) + if !is { + return nil, &ErrLinkShareTokenInvalid{} + } + sharedByID, is := claims["sharedByID"].(float64) + if !is { + return nil, &ErrLinkShareTokenInvalid{} + } + share = &LinkSharing{} - share.ID = int64(claims["id"].(float64)) - share.Hash = claims["hash"].(string) + share.ID = int64(id) + share.Hash = hash share.ProjectID = int64(projectID) share.Permission = Permission(permissionFloat) - share.SharedByID = int64(claims["sharedByID"].(float64)) + share.SharedByID = int64(sharedByID) return } diff --git a/pkg/modules/auth/auth.go b/pkg/modules/auth/auth.go index 816474ba0..ab5d7f3a5 100644 --- a/pkg/modules/auth/auth.go +++ b/pkg/modules/auth/auth.go @@ -169,7 +169,11 @@ func GetAuthFromClaims(c *echo.Context) (a web.Auth, err error) { return nil, fmt.Errorf("user in context is not jwt token") } claims := jwtinf.Claims.(jwt.MapClaims) - typ := int(claims["type"].(float64)) + typFloat, is := claims["type"].(float64) + if !is { + return nil, echo.NewHTTPError(http.StatusBadRequest, "Invalid JWT token.") + } + typ := int(typFloat) if typ == AuthTypeLinkShare && config.ServiceEnableLinkSharing.GetBool() { return models.GetLinkShareFromClaims(claims) } diff --git a/pkg/routes/api/v1/login.go b/pkg/routes/api/v1/login.go index 1fb674d88..6ce1e3992 100644 --- a/pkg/routes/api/v1/login.go +++ b/pkg/routes/api/v1/login.go @@ -130,7 +130,11 @@ func Login(c *echo.Context) (err error) { func RenewToken(c *echo.Context) (err error) { jwtinf := c.Get("user").(*jwt.Token) claims := jwtinf.Claims.(jwt.MapClaims) - typ := int(claims["type"].(float64)) + typFloat, is := claims["type"].(float64) + if !is { + return echo.NewHTTPError(http.StatusBadRequest, "Invalid JWT token.") + } + typ := int(typFloat) if typ == auth.AuthTypeUser { return echo.NewHTTPError( @@ -147,7 +151,11 @@ func RenewToken(c *echo.Context) (err error) { defer s.Close() share := &models.LinkSharing{} - share.ID = int64(claims["id"].(float64)) + idFloat, is := claims["id"].(float64) + if !is { + return echo.NewHTTPError(http.StatusBadRequest, "Invalid JWT token.") + } + share.ID = int64(idFloat) err = share.ReadOne(s, share) if err != nil { _ = s.Rollback()