Validate JWT algorithm allowlist is non-empty at construction

Author: ScriptSmith

src/auth/gateway_jwt.rs

@@ -23,7 +23,7 @@ const NEGATIVE_CACHE_TTL: std::time::Duration = std::time::Duration::from_secs(6
 /// Maximum number of negative cache entries before eviction kicks in.
 /// Prevents unbounded memory growth from attacker-controlled JWT issuers.
 #[cfg(feature = "sso")]
-const MAX_NEGATIVE_CACHE_ENTRIES: usize = 10_000;
+const MAX_NEGATIVE_CACHE_ENTRIES: usize = 1_000;
 
 /// Internal state behind the single `RwLock`.
 struct RegistryInner {
@@ -94,7 +94,7 @@ impl GatewayJwtRegistry {
             super::fetch_jwks_uri(discovery_url, http_client, allow_loopback, allow_private)
                 .await?;
         let jwt_config = build_jwt_config_from_sso(issuer, client_id, &jwks_url, config);
-        let validator = Arc::new(JwtValidator::with_client(jwt_config, http_client.clone()));
+        let validator = Arc::new(JwtValidator::with_client(jwt_config, http_client.clone())?);
 
         // Single write lock: remove old issuer index, insert validator, update index
         let mut inner = self.inner.write().await;
@@ -318,7 +318,7 @@ mod tests {
             allowed_algorithms: vec![JwtAlgorithm::RS256],
         };
 
-        let validator = Arc::new(JwtValidator::new(config));
+        let validator = Arc::new(JwtValidator::new(config).unwrap());
         {
             let mut inner = registry.inner.write().await;
             inner.validators.insert(org_id, validator);
@@ -357,17 +357,20 @@ mod tests {
         let org2 = Uuid::new_v4();
 
         let make_validator = || {
-            Arc::new(JwtValidator::new(JwtAuthConfig {
-                issuer: issuer.to_string(),
-                audience: OneOrMany::One("test".to_string()),
-                jwks_url: "https://shared-idp.example.com/jwks".to_string(),
-                jwks_refresh_secs: 3600,
-                identity_claim: "sub".to_string(),
-                org_claim: None,
-                additional_claims: vec![],
-                allow_expired: false,
-                allowed_algorithms: vec![JwtAlgorithm::RS256],
-            }))
+            Arc::new(
+                JwtValidator::new(JwtAuthConfig {
+                    issuer: issuer.to_string(),
+                    audience: OneOrMany::One("test".to_string()),
+                    jwks_url: "https://shared-idp.example.com/jwks".to_string(),
+                    jwks_refresh_secs: 3600,
+                    identity_claim: "sub".to_string(),
+                    org_claim: None,
+                    additional_claims: vec![],
+                    allow_expired: false,
+                    allowed_algorithms: vec![JwtAlgorithm::RS256],
+                })
+                .unwrap(),
+            )
         };
 
         {

src/auth/jwt.rs

@@ -114,21 +114,34 @@ pub struct JwtValidator {
 impl JwtValidator {
     /// Create a new JWT validator.
     #[allow(dead_code)] // Auth infrastructure
-    pub fn new(config: JwtAuthConfig) -> Self {
-        Self {
+    pub fn new(config: JwtAuthConfig) -> Result<Self, AuthError> {
+        if config.allowed_algorithms.is_empty() {
+            return Err(AuthError::Internal(
+                "JWT allowed_algorithms must not be empty".into(),
+            ));
+        }
+        Ok(Self {
             config,
             http_client: reqwest::Client::new(),
             jwks_cache: RwLock::new(None),
-        }
+        })
     }
 
     /// Create a new JWT validator with a custom HTTP client.
-    pub fn with_client(config: JwtAuthConfig, http_client: reqwest::Client) -> Self {
-        Self {
+    pub fn with_client(
+        config: JwtAuthConfig,
+        http_client: reqwest::Client,
+    ) -> Result<Self, AuthError> {
+        if config.allowed_algorithms.is_empty() {
+            return Err(AuthError::Internal(
+                "JWT allowed_algorithms must not be empty".into(),
+            ));
+        }
+        Ok(Self {
             config,
             http_client,
             jwks_cache: RwLock::new(None),
-        }
+        })
     }
 
     /// Validate a JWT and return the claims.
@@ -423,23 +436,23 @@ mod tests {
     #[test]
     fn test_algorithm_allowlist_rs256_allowed() {
         let config = test_config();
-        let validator = JwtValidator::new(config);
+        let validator = JwtValidator::new(config).unwrap();
 
         assert!(validator.is_algorithm_allowed(Algorithm::RS256));
     }
 
     #[test]
     fn test_algorithm_allowlist_es256_allowed() {
         let config = test_config();
-        let validator = JwtValidator::new(config);
+        let validator = JwtValidator::new(config).unwrap();
 
         assert!(validator.is_algorithm_allowed(Algorithm::ES256));
     }
 
     #[test]
     fn test_algorithm_allowlist_hs256_rejected() {
         let config = test_config();
-        let validator = JwtValidator::new(config);
+        let validator = JwtValidator::new(config).unwrap();
 
         // HS256 is not in the allowed list
         assert!(!validator.is_algorithm_allowed(Algorithm::HS256));
@@ -448,7 +461,7 @@ mod tests {
     #[test]
     fn test_algorithm_allowlist_rs384_rejected() {
         let config = test_config();
-        let validator = JwtValidator::new(config);
+        let validator = JwtValidator::new(config).unwrap();
 
         // RS384 is not in the allowed list (only RS256 and ES256)
         assert!(!validator.is_algorithm_allowed(Algorithm::RS384));
@@ -461,7 +474,7 @@ mod tests {
             allowed_algorithms: vec![JwtAlgorithm::HS256],
             ..test_config()
         };
-        let validator = JwtValidator::new(config);
+        let validator = JwtValidator::new(config).unwrap();
 
         assert!(validator.is_algorithm_allowed(Algorithm::HS256));
         assert!(!validator.is_algorithm_allowed(Algorithm::RS256));
@@ -477,7 +490,7 @@ mod tests {
             ],
             ..test_config()
         };
-        let validator = JwtValidator::new(config);
+        let validator = JwtValidator::new(config).unwrap();
 
         assert!(validator.is_algorithm_allowed(Algorithm::RS256));
         assert!(validator.is_algorithm_allowed(Algorithm::RS384));
@@ -487,16 +500,12 @@ mod tests {
     }
 
     #[test]
-    fn test_algorithm_allowlist_empty_rejects_all() {
+    fn test_algorithm_allowlist_empty_rejected() {
         let config = JwtAuthConfig {
             allowed_algorithms: vec![],
             ..test_config()
         };
-        let validator = JwtValidator::new(config);
-
-        assert!(!validator.is_algorithm_allowed(Algorithm::RS256));
-        assert!(!validator.is_algorithm_allowed(Algorithm::ES256));
-        assert!(!validator.is_algorithm_allowed(Algorithm::HS256));
+        assert!(JwtValidator::new(config).is_err());
     }
 
     #[test]
@@ -523,7 +532,7 @@ mod tests {
             allowed_algorithms: vec![JwtAlgorithm::RS256, JwtAlgorithm::ES256],
             ..test_config()
         };
-        let validator = JwtValidator::new(config);
+        let validator = JwtValidator::new(config).unwrap();
 
         let allowed = validator.allowed_algorithms();
         assert_eq!(allowed.len(), 2);

src/auth/oidc.rs

@@ -247,7 +247,7 @@ impl OidcAuthenticator {
                 *validator = Some(Arc::new(JwtValidator::with_client(
                     jwt_config,
                     self.http_client.clone(),
-                )));
+                )?));
             }
         }
 

src/middleware/layers/admin.rs

@@ -1036,7 +1036,7 @@ async fn validate_bearer_token(
     };
 
     let validator =
-        crate::auth::jwt::JwtValidator::with_client(jwt_config, state.http_client.clone());
+        crate::auth::jwt::JwtValidator::with_client(jwt_config, state.http_client.clone())?;
 
     let claims = validator.validate(token).await?;