Skip to content

Portal: Various bug fixes#5792

Merged
carmenlau merged 3 commits into
authgear:mainfrom
tung2744:fix-portal-auth
Jun 30, 2026
Merged

Portal: Various bug fixes#5792
carmenlau merged 3 commits into
authgear:mainfrom
tung2744:fix-portal-auth

Conversation

@tung2744

Copy link
Copy Markdown
Contributor

ref DEV-3679

The SessionInfoMiddleware validated JWT signature and expiry but did not
check the typ header, allowing id_tokens (typ: JWT) to be accepted in
place of access tokens (typ: at+jwt). Both token types share the same
signing key and required claims, making this a real token confusion
vulnerability when WEB_SDK_SESSION_TYPE=refresh_token.

Fix by extracting the raw bearer token, rejecting any JWT whose typ
header is not "at+jwt" before performing full signature verification.
Covers both the portal API and the site admin API, which share the
same SessionInfoMiddleware.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

@carmenlau carmenlau left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR looks good, but the commit message for caa5b09 is a bit misleading. It says:

Fix by removing the entire secret entry when no certificates remain after
deletion, consistent with how other secret types handle cleanup.

However, the code actually rejects the deletion with an error. If it's not too much trouble, could you update the commit message?

tung2744 added 2 commits June 30, 2026 16:45
Update .vettedpositions line numbers for middleware_session_info.go (lines shifted after new code was added) and update []interface{}{} to []any{} per go fix.
@tung2744

Copy link
Copy Markdown
Contributor Author

@carmenlau Fixed, thanks!

@carmenlau
carmenlau merged commit 58c06ee into authgear:main Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants