From f4068e99afc32740587e839fa0fda3f1c2520298 Mon Sep 17 00:00:00 2001
From: BlackDex <black.dex@gmail.com>
Date: Sun, 23 Nov 2025 11:03:45 +0100
Subject: [PATCH] Fix some issues/comments

Signed-off-by: BlackDex <black.dex@gmail.com>
---
 src/api/core/sends.rs       |  2 +-
 src/db/models/attachment.rs |  2 +-
 src/sso.rs                  | 25 +++++++++++++++++++++++--
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/api/core/sends.rs b/src/api/core/sends.rs
index 8e02276e..10bf85be 100644
--- a/src/api/core/sends.rs
+++ b/src/api/core/sends.rs
@@ -568,7 +568,7 @@ async fn post_access_file(
 async fn download_url(host: &Host, send_id: &SendId, file_id: &SendFileId) -> Result<String, crate::Error> {
     let operator = CONFIG.opendal_operator_for_path_type(&PathType::Sends)?;
 
-    if operator.info().scheme() == String::from(opendal::Scheme::Fs) {
+    if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
         let token_claims = crate::auth::generate_send_claims(send_id, file_id);
         let token = crate::auth::encode_jwt(&token_claims);
 
diff --git a/src/db/models/attachment.rs b/src/db/models/attachment.rs
index 83ba63d1..4273c22a 100644
--- a/src/db/models/attachment.rs
+++ b/src/db/models/attachment.rs
@@ -46,7 +46,7 @@ impl Attachment {
     pub async fn get_url(&self, host: &str) -> Result<String, crate::Error> {
         let operator = CONFIG.opendal_operator_for_path_type(&PathType::Attachments)?;
 
-        if operator.info().scheme() == String::from(opendal::Scheme::Fs) {
+        if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
             let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone()));
             Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id))
         } else {
diff --git a/src/sso.rs b/src/sso.rs
index ba89fc02..789f0a3b 100644
--- a/src/sso.rs
+++ b/src/sso.rs
@@ -132,6 +132,12 @@ struct BasicTokenClaims {
     exp: i64,
 }
 
+#[derive(Deserialize)]
+struct BasicTokenClaimsValidation {
+    exp: u64,
+    iss: String,
+}
+
 impl BasicTokenClaims {
     fn nbf(&self) -> i64 {
         self.nbf.or(self.iat).unwrap_or_else(|| Utc::now().timestamp())
@@ -139,8 +145,23 @@ impl BasicTokenClaims {
 }
 
 fn decode_token_claims(token_name: &str, token: &str) -> ApiResult<BasicTokenClaims> {
-    match jsonwebtoken::dangerous::insecure_decode(token) {
-        Ok(btc) => Ok(btc.claims),
+    // We need to manually validate this token, since `insecure_decode` does not do this
+    match jsonwebtoken::dangerous::insecure_decode::<BasicTokenClaimsValidation>(token) {
+        Ok(btcv) => {
+            let now = jsonwebtoken::get_current_timestamp();
+            let validate_claim = btcv.claims;
+            // Validate the exp in the claim with a leeway of 60 seconds, same as jsonwebtoken does
+            if validate_claim.exp < now - 60 {
+                err_silent!(format!("Expired Signature for base token claim from {token_name}"))
+            }
+            if validate_claim.iss.ne(&CONFIG.sso_authority()) {
+                err_silent!(format!("Invalid Issuer for base token claim from {token_name}"))
+            }
+
+            // All is validated and ok, lets decode again using the wanted struct
+            let btc = jsonwebtoken::dangerous::insecure_decode::<BasicTokenClaims>(token).unwrap();
+            Ok(btc.claims)
+        }
         Err(err) => err_silent!(format!("Failed to decode basic token claims from {token_name}: {err}")),
     }
 }