Fix logic that exposes algorithm confusion vulnerability (#329)

abunuwas · piyushroshan · web-flow · commit 91d8ac5eeb44 · 2025-10-24T16:16:10.000+05:30
* Fix logic that exposes algorithm confusion vulnerability

---------

Co-authored-by: Roshan Piyush &lt;piyush.roshan@gmail.com&gt;
diff --git a/services/identity/src/main/java/com/crapi/config/JwtProvider.java b/services/identity/src/main/java/com/crapi/config/JwtProvider.java
@@ -189,10 +189,10 @@ public boolean validateJwtToken(String authToken) {
           log.debug("Key from JKU: " + verificationKey.toJSONString());
           verifier = new RSASSAVerifier(verificationKey);
         }
-        valid = signedJWT.verify(verifier);
-        log.debug("JWT valid?: " + valid);
-        return valid;
       }
+      valid = signedJWT.verify(verifier);
+      log.debug("JWT valid?: " + valid);
+      return valid;
 
     } catch (ParseException e) {
       try {

Original file line number	Diff line number	Diff line change
`@@ -189,10 +189,10 @@ public boolean validateJwtToken(String authToken) {`
`189`	`189`	`log.debug("Key from JKU: " + verificationKey.toJSONString());`
`190`	`190`	`verifier = new RSASSAVerifier(verificationKey);`
`191`	`191`	`}`
`192`		`- valid = signedJWT.verify(verifier);`
`193`		`- log.debug("JWT valid?: " + valid);`
`194`		`- return valid;`
`195`	`192`	`}`
	`193`	`+ valid = signedJWT.verify(verifier);`
	`194`	`+ log.debug("JWT valid?: " + valid);`
	`195`	`+ return valid;`
`196`	`196`
`197`	`197`	`} catch (ParseException e) {`
`198`	`198`	`try {`