ai/chat
1
0
Fork 0
Code Activity

security: remove unsafe direct DID auth bypass

Browse Source
This commit is contained in:
syui
2026-03-22 17:07:08 +09:00
parent c8cd7401f1
commit ffaf015bf1
1 changed files with 0 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/main.rs
View File

@@ -283,10 +283,6 @@ fn extract_did(headers: &HeaderMap) -> Option<String> {
let auth = headers.get("authorization")?.to_str().ok()?; let auth = headers.get("authorization")?.to_str().ok()?;
let token = auth.strip_prefix("Bearer ")?; let token = auth.strip_prefix("Bearer ")?;
if token.starts_with("did:") {
return Some(token.to_string());
}
// Decode JWT payload: prefer "sub" (service auth from PDS proxy), fallback to "iss" // Decode JWT payload: prefer "sub" (service auth from PDS proxy), fallback to "iss"
let parts: Vec<&str> = token.split('.').collect(); let parts: Vec<&str> = token.split('.').collect();
if parts.len() == 3 { if parts.len() == 3 {