Switch to insecure_decode to avoid constructing invalid key

DoumanAsh · DoumanAsh · commit cc5819c60d94 · 2025-11-23T16:06:32.000+09:00
diff --git a/foundation/auth/src/token_source/compute_identity_source.rs b/foundation/auth/src/token_source/compute_identity_source.rs
@@ -1,5 +1,4 @@
 use async_trait::async_trait;
-use jsonwebtoken::Validation;
 use serde::Deserialize;
 use time::OffsetDateTime;
 use urlencoding::encode;
@@ -20,8 +19,6 @@ use crate::token_source::{default_http_client, TokenSource};
 pub struct ComputeIdentitySource {
     token_url: String,
     client: reqwest::Client,
-    decoding_key: jsonwebtoken::DecodingKey,
-    validation: jsonwebtoken::Validation,
 }
 
 impl std::fmt::Debug for ComputeIdentitySource {
@@ -39,21 +36,13 @@ impl ComputeIdentitySource {
             Err(_e) => METADATA_IP.to_string(),
         };
 
-        // Only used to extract the expiry without checking the signature.
-        let mut validation = Validation::default();
-        validation.insecure_disable_signature_validation();
-        validation.set_audience(&[audience]);
-        let decoding_key = jsonwebtoken::DecodingKey::from_secret(b"");
-
         Ok(ComputeIdentitySource {
             token_url: format!(
                 "http://{}/computeMetadata/v1/instance/service-accounts/default/identity?audience={}&format=full",
                 host,
                 encode(audience)
             ),
             client: default_http_client(),
-            decoding_key,
-            validation,
         })
     }
 }
@@ -75,14 +64,11 @@ impl TokenSource for ComputeIdentitySource {
             .text()
             .await?;
 
-        let exp = jsonwebtoken::decode::<ExpClaim>(&jwt, &self.decoding_key, &self.validation)?
-            .claims
-            .exp;
-
+        let token = jsonwebtoken::dangerous::insecure_decode::<ExpClaim>(jwt.as_bytes())?;
         Ok(Token {
             access_token: jwt,
             token_type: "Bearer".into(),
-            expiry: OffsetDateTime::from_unix_timestamp(exp).ok(),
+            expiry: OffsetDateTime::from_unix_timestamp(token.claims.exp).ok(),
         })
     }
 }
diff --git a/foundation/auth/src/token_source/mod.rs b/foundation/auth/src/token_source/mod.rs
@@ -66,16 +66,10 @@ impl InternalIdToken {
         })
     }
 
-    fn get_exp(&self, audience: &str) -> Result<i64, Error> {
-        let mut validation = jsonwebtoken::Validation::default();
-        validation.insecure_disable_signature_validation();
-        validation.set_audience(&[audience]);
-        let decoding_key = jsonwebtoken::DecodingKey::from_secret(b"");
-        Ok(
-            jsonwebtoken::decode::<ExpClaim>(self.id_token.as_str(), &decoding_key, &validation)?
-                .claims
-                .exp,
-        )
+    fn get_exp(&self, _audience: &str) -> Result<i64, Error> {
+        //skips all checks, so audience has to be manually checked if necessary
+        let token = jsonwebtoken::dangerous::insecure_decode::<ExpClaim>(self.id_token.as_bytes())?;
+        Ok(token.claims.exp)
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -66,16 +66,10 @@ impl InternalIdToken {`
`66`	`66`	`})`
`67`	`67`	`}`
`68`	`68`
`69`		`- fn get_exp(&self, audience: &str) -> Result<i64, Error> {`
`70`		`- let mut validation = jsonwebtoken::Validation::default();`
`71`		`- validation.insecure_disable_signature_validation();`
`72`		`- validation.set_audience(&[audience]);`
`73`		`- let decoding_key = jsonwebtoken::DecodingKey::from_secret(b"");`
`74`		`- Ok(`
`75`		`- jsonwebtoken::decode::<ExpClaim>(self.id_token.as_str(), &decoding_key, &validation)?`
`76`		`- .claims`
`77`		`- .exp,`
`78`		`- )`
	`69`	`+ fn get_exp(&self, _audience: &str) -> Result<i64, Error> {`
	`70`	`+ //skips all checks, so audience has to be manually checked if necessary`
	`71`	`+ let token = jsonwebtoken::dangerous::insecure_decode::<ExpClaim>(self.id_token.as_bytes())?;`
	`72`	`+ Ok(token.claims.exp)`
`79`	`73`	`}`
`80`	`74`	`}`
`81`	`75`