Sample Solution and Autotests for JWT.go are incorrect

Hi,

The sample solution and JWT.go autotests fail to verify the signature of the JWT.
This is because the jwt.Parse() function takes nil as the key function, rather than a user-defined key function which returns the secret.

Steps to reproduce:

• download the sample solution
• add the following line in the main() function to print a valid token on running the container
• make run
• test the token using curl to make sure it works:

curl -H ‘Authorization: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTQxNTYzNDIsImZpcnN0TmFtZSI6InRlc3QiLCJpYXQiOjE2OTQxNTI3NDIsInJvbGUiOiJhZG1pbiJ9.jULoGYAuE89hmF-3dNMDzOsFH2BrZPgbStJS98m0AUk’ localhost:8080/options -vvv

• put the token into a site like jwt.io and change the signature
• test the token again:

curl -H ‘Authorization: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTQxNTYzNDIsImZpcnN0TmFtZSI6InRlc3QiLCJpYXQiOjE2OTQxNTI3NDIsInJvbGUiOiJhZG1pbiJ9.R1GhFc8g3l-7-NfHgLsiEwP-UMwn6–dTs9ZkFwWEIw’ localhost:8080/options -vvv

image1638×1434 175 KB

Note that the first secret is correct, the second secret is simply “secret”

Just noting that the “localhost” in the curl commands should have “http://” in front. However, I couldn’t post as “New users can only have 2 links in a post”

Sample solutions are actual solutions by other players who have previously passed this challenge. So it is strange why it fails locally for you.

Allow me to investigate this.

I tested and it works. The solution was submitted when this challenge was based on go 1.12. We have migrated all go challenge to v1.17 and they may have cause issues when you try to run them locally.

To get sample solution working locally:

1. Update Dockerfile to use secdim/play-go:1.17
2. Overwrite src/go.* with new ones
3. Change imports to github.com/labstack/echo/v4
4. make test and make run

I made these changes and got the solution worked locally.

BTW, I can see you have already passed this challenge. do you still have issues?

The issue isn’t with the sample solution. The issue is that the autotests don’t verify the integrity of the JWT.

The JWT secret can be an arbitrary value. This is because the sample solution has the following code snippet:

However, the correct code should be:

image724×198 18.3 KB

Where <keyFunc> is the function where the JWT secret is validated (hence verifying the integrity of the token).

Using the nil value effectively uses the None algorithm type.

I tested the challenge again with my solution and the sample solution. The last 2 passing commits should demonstrate the issue.

Interesting. I get your point and wondering how this solution passed the final test.

So the final security test (on the server, a.k.a autotest), checks exactly for this scenario if JWT signature is verified. The test generates a token using an arbitrary key and expect the app to reject it. Which in this case the app did reject it.

I’ve reviewed other solutions and they did specified the KeyFunc parameter to pass this challenge.

ok, got what was wrong. The reason the solution rejects the token is not because of signature check, it is because of the missing claim checks (line 53 of the solution, which I am not copying here).

Good find @johnzt2020

Ok final test is fixed. I verified and the sample solution will fail. Will remove the solution and scores received.