From 8e4d64d8aabecf1fc9eed3f584527059c2402580 Mon Sep 17 00:00:00 2001
From: Abhishek Choudhary <shreemaan.abhishek@gmail.com>
Date: Tue, 24 Dec 2024 12:01:26 +0545
Subject: [PATCH] fix(jwt-auth): disallow empty key configuration attributes

---
 apisix/plugins/jwt-auth.lua | 10 ++++--
 t/plugin/jwt-auth4.t        | 70 +++++++++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua
index 4b8d3e0f9560..db8e49c8a0e5 100644
--- a/apisix/plugins/jwt-auth.lua
+++ b/apisix/plugins/jwt-auth.lua
@@ -62,8 +62,14 @@ local consumer_schema = {
     type = "object",
     -- can't use additionalProperties with dependencies
     properties = {
-        key = {type = "string"},
-        secret = {type = "string"},
+        key = {
+            type = "string",
+            minLength = 1,
+        },
+        secret = {
+            type = "string",
+            minLength = 1,
+        },
         algorithm = {
             type = "string",
             enum = {"HS256", "HS512", "RS256", "ES256"},
diff --git a/t/plugin/jwt-auth4.t b/t/plugin/jwt-auth4.t
index 075fbb85f01f..48fbc5de1baf 100644
--- a/t/plugin/jwt-auth4.t
+++ b/t/plugin/jwt-auth4.t
@@ -160,3 +160,73 @@ GET /t
 --- more_headers
 --- response_body
 hello world
+
+
+
+=== TEST 4: ensure secret is non empty
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local t = require("lib.test_admin").test
+            -- prepare consumer with a custom key claim name
+            local csm_code, csm_body = t('/apisix/admin/consumers',
+                ngx.HTTP_PUT,
+                [[{
+                    "username": "mike",
+                    "plugins": {
+                        "jwt-auth": {
+                            "key": "custom-user-key",
+                            "secret": ""
+                        }
+                    }
+                }]]
+            )
+            if csm_code == 200 then
+                ngx.status = 500
+                ngx.say("error")
+                return
+            end
+            ngx.status = csm_code
+            ngx.say(csm_body)
+        }
+    }
+--- error_code: 400
+--- response_body eval
+qr/\\"secret\\" validation failed: string too short, expected at least 1, got 0/
+
+
+
+=== TEST 5: ensure key is non empty
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local t = require("lib.test_admin").test
+            -- prepare consumer with a custom key claim name
+            local csm_code, csm_body = t('/apisix/admin/consumers',
+                ngx.HTTP_PUT,
+                [[{
+                    "username": "mike",
+                    "plugins": {
+                        "jwt-auth": {
+                            "key": "",
+                            "algorithm": "RS256",
+                            "public_key": "somekey",
+                            "private_key": "someprivkey"
+                        }
+                    }
+                }]]
+            )
+            if csm_code == 200 then
+                ngx.status = 500
+                ngx.say("error")
+                return
+            end
+            ngx.status = csm_code
+            ngx.say(csm_body)
+        }
+    }
+--- error_code: 400
+--- response_body eval
+qr/\\"key\\" validation failed: string too short, expected at least 1, got 0/