fix: prevent use of hs* symmetric keys as urls and disallow http urls by default

[SkArchon]

Summary by CodeRabbit

• New Features

  • Added support for configuring whether insecure JWKS URLs (HTTP) are allowed via a new setting.
  • Enforced explicit specification of allowed JWT algorithms for JWKS authentication.
  • Improved validation and error messages when required JWT algorithm settings are missing or invalid.

• Bug Fixes

  • Enhanced schema and configuration validation to prevent missing or empty JWT algorithm arrays.

• Tests

  • Added and updated test cases to cover insecure URL usage, algorithm requirements, and configuration validation.
  • Removed tests related to unsupported HMAC algorithms.

Warning

Breaking Changes

• HS* (256, etc) symmetric support has been removed for JWKs URLs, and you will need to explicitly specify the algorithms you aim to support now for your keys. (If you are using HS* symmetric keys, you can use the secret parameter in the configuration instead)
• Http URLs are now prevented from being used for JWKs urls by default, but can be configured to be allowed.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This change enforces explicit specification of allowed JWT algorithms in JWKS configurations, adds validation for insecure JWKS URLs, and removes HMAC-related authentication support. It updates function signatures, configuration schemas, and test cases to require algorithm lists and to optionally allow insecure JWKS URLs via a new boolean flag in configuration and function calls.

Changes

Files/Groups	Change Summary
router-tests/authentication_test.go	Enforces allowed algorithms in JWKS configs, adds insecure URL validation tests, removes HMAC tests, adjusts helper defaults.
router-tests/header_set_test.go router-tests/modules/set_scopes_test.go router-tests/ratelimit_test.go router-tests/websocket_test.go	Adds boolean argument to NewJwksTokenDecoder calls for secure URL enforcement in test cases.
router-tests/utils.go	Introduces BaseJwksAlgorithms, updates auth helpers to require allowed algorithms and secure URL flag.
router/core/supervisor_instance.go	Adds AllowInsecureJwksUrls flag to NewJwksTokenDecoder call in authenticator setup.
router/pkg/authentication/authentication.go	Adds package-level error for missing algorithms.
router/pkg/authentication/jwks_token_decoder.go	Updates NewJwksTokenDecoder signature to include insecure URL flag; enforces HTTPS unless allowed.
router/pkg/authentication/validation_store.go	Removes HMAC algorithm support, requires non-empty algorithm list, updates return signature for error handling.
router/pkg/config/config.go	Adds AllowInsecureJwksUrls boolean field to JWT config struct.
router/pkg/config/config.schema.json	Requires non-empty algorithms array for JWKS URL configs in schema; enforces presence of field.
router/pkg/config/config_test.go	Adds tests for missing/empty algorithms field in JWT JWKS config validation.
router/pkg/config/testdata/config_defaults.json router/pkg/config/testdata/config_full.json	Adds AllowInsecureJwksUrls field to JWT config in test JSON files.

Estimated code review effort

3 (~40 minutes)

Possibly related PRs

• wundergraph/cosmo#2067: Both PRs modify NewJwksTokenDecoder and related JWT/JWKS authentication logic, with this PR focusing on algorithm enforcement and insecure URL validation, and feat: support symmetric key algorithms for JWKs #2067 adding symmetric key and local secret-based JWKS support.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch milinda/eng-7666-prevent-use-of-hs3256-hs-symmetric-keys-as-urls

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[SkArchon]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-65dd2da0bcfc72b6199305858753392dd5777d68-nonroot

[coderabbitai]

Actionable comments posted: 4

🔭 Outside diff range comments (1)

router/pkg/config/config_test.go (1)

1312-1329: Potential test failure due to new algorithm validation.

The test at line 1321 uses algorithms: [] (empty array), which will now fail the minItems validation introduced earlier. This test should be updated to either:

1. Remove the algorithms field entirely to test the missing property validation
2. Use a valid non-empty algorithms array if testing other validation aspects

Apply this fix to maintain test correctness:

 authentication:
   jwt:
     jwks:
-      - algorithms: []
+      - url: "http://example.com"

Or if you want to test the missing algorithms validation specifically:

 authentication:
   jwt:
     jwks:
-      - algorithms: []
+      - some_other_field: "value"

🧹 Nitpick comments (5)

router-tests/modules/set_scopes_test.go (1)

32-37: LGTM: Test updated for new function signature.

The addition of true as the second parameter correctly updates the test for the modified NewJwksTokenDecoder function signature. Using true in tests is appropriate for allowing local/test JWKS URLs.

Consider adding a test case that verifies the security behavior when allowInsecureJwksUrls is false to ensure the validation works as expected:

func TestSecureJWKSValidation(t *testing.T) {
	_, err := authentication.NewJwksTokenDecoder(integration.NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{
		{
			URL: "http://insecure-example.com/.well-known/jwks.json", // HTTP URL
			RefreshInterval: time.Second * 5,
		},
	}, false) // Disallow insecure URLs
	require.Error(t, err) // Should fail with insecure URL
}

router/pkg/config/config.schema.json (1)

1662-1665: Description contradicts new minItems: 1 constraint

algorithms now requires at least one entry ("minItems": 1), yet the preceding description still claims “An empty list means that all algorithms are allowed.”
Either drop the minItems constraint or update the description to avoid misleading users/documentation.

- "description": "The allowed algorithms for the keys that are retrieved from the JWKs. An empty list means that all algorithms are allowed.",
+ "description": "The allowed algorithms for the keys that are retrieved from the JWKs. At least one algorithm must be provided.",

router-tests/utils.go (1)

75-75: Consider making the insecure URL allowance configurable for comprehensive testing.

The hardcoded true value for allowInsecureJwksUrls is appropriate for test flexibility, but consider making this configurable per test to ensure some tests validate the secure behavior when allowInsecureJwksUrls is false.

For example, you could add an optional parameter:

-func ConfigureAuthWithJwksConfig(t *testing.T, jwksConfig []authentication.JWKSConfig) []authentication.Authenticator {
+func ConfigureAuthWithJwksConfig(t *testing.T, jwksConfig []authentication.JWKSConfig, allowInsecure ...bool) []authentication.Authenticator {
+	insecure := true
+	if len(allowInsecure) > 0 {
+		insecure = allowInsecure[0]
+	}
-	tokenDecoder, err := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), jwksConfig, true)
+	tokenDecoder, err := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), jwksConfig, insecure)

router-tests/authentication_test.go (2)

978-1016: Good test coverage for insecure URL validation.

The tests properly verify both rejection of HTTP URLs and acceptance of HTTPS URLs. However, consider improving the second test by using a mock server instead of a non-existent URL to avoid potential network timeouts.

---

2422-2432: Good backward compatibility handling.

The function properly handles the case where no algorithms are specified by defaulting to BaseJwksAlgorithms. Consider updating the comment to be more specific about which algorithms are included in the base set.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9cf3a25 and 8b42511.

📒 Files selected for processing (15)

• router-tests/authentication_test.go (24 hunks)
• router-tests/header_set_test.go (1 hunks)
• router-tests/modules/set_scopes_test.go (1 hunks)
• router-tests/ratelimit_test.go (1 hunks)
• router-tests/utils.go (2 hunks)
• router-tests/websocket_test.go (8 hunks)
• router/core/supervisor_instance.go (1 hunks)
• router/pkg/authentication/authentication.go (1 hunks)
• router/pkg/authentication/jwks_token_decoder.go (3 hunks)
• router/pkg/authentication/validation_store.go (3 hunks)
• router/pkg/config/config.go (1 hunks)
• router/pkg/config/config.schema.json (2 hunks)
• router/pkg/config/config_test.go (1 hunks)
• router/pkg/config/testdata/config_defaults.json (1 hunks)
• router/pkg/config/testdata/config_full.json (1 hunks)

🧠 Learnings (14)

📓 Common learnings

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router-tests/modules/set_scopes_test.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/config/config.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/authentication/validation_store.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

router/core/supervisor_instance.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router-tests/ratelimit_test.go (1)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

router/pkg/config/config_test.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/config/config.schema.json (4)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

Learnt from: SkArchon
PR: #1929
File: router/internal/circuit/manager.go:16-25
Timestamp: 2025-06-30T20:39:02.387Z
Learning: In the Cosmo router project, parameter validation for circuit breaker configuration is handled at the JSON schema level rather than through runtime validation methods on structs. The config.schema.json file contains comprehensive validation constraints for circuit breaker parameters.

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

router-tests/authentication_test.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/config/testdata/config_full.json (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/config/testdata/config_defaults.json (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router-tests/utils.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/authentication/jwks_token_decoder.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router-tests/websocket_test.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

🧬 Code Graph Analysis (4)

router/core/supervisor_instance.go (1)

router/pkg/authentication/jwks_token_decoder.go (1)

• NewJwksTokenDecoder (60-202)

router-tests/header_set_test.go (2)

router/pkg/authentication/jwks_token_decoder.go (2)

• NewJwksTokenDecoder (60-202)
• JWKSConfig (43-53)

router-tests/utils.go (1)

• NewContextWithCancel (36-40)

router/pkg/authentication/jwks_token_decoder.go (1)

router/pkg/authentication/validation_store.go (1)

• NewValidationStore (33-64)

router-tests/websocket_test.go (2)

router/pkg/authentication/jwks_token_decoder.go (2)

• NewJwksTokenDecoder (60-202)
• JWKSConfig (43-53)

router-tests/utils.go (1)

• NewContextWithCancel (36-40)

🧰 Additional context used

🧠 Learnings (14)

📓 Common learnings

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router-tests/modules/set_scopes_test.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/config/config.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/authentication/validation_store.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

router/core/supervisor_instance.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router-tests/ratelimit_test.go (1)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

router/pkg/config/config_test.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/config/config.schema.json (4)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

Learnt from: SkArchon
PR: #1929
File: router/internal/circuit/manager.go:16-25
Timestamp: 2025-06-30T20:39:02.387Z
Learning: In the Cosmo router project, parameter validation for circuit breaker configuration is handled at the JSON schema level rather than through runtime validation methods on structs. The config.schema.json file contains comprehensive validation constraints for circuit breaker parameters.

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

router-tests/authentication_test.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/config/testdata/config_full.json (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/config/testdata/config_defaults.json (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router-tests/utils.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/pkg/authentication/jwks_token_decoder.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router-tests/websocket_test.go (2)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

🧬 Code Graph Analysis (4)

router/core/supervisor_instance.go (1)

router/pkg/authentication/jwks_token_decoder.go (1)

• NewJwksTokenDecoder (60-202)

router-tests/header_set_test.go (2)

router/pkg/authentication/jwks_token_decoder.go (2)

• NewJwksTokenDecoder (60-202)
• JWKSConfig (43-53)

router-tests/utils.go (1)

• NewContextWithCancel (36-40)

router/pkg/authentication/jwks_token_decoder.go (1)

router/pkg/authentication/validation_store.go (1)

• NewValidationStore (33-64)

router-tests/websocket_test.go (2)

router/pkg/authentication/jwks_token_decoder.go (2)

• NewJwksTokenDecoder (60-202)
• JWKSConfig (43-53)

router-tests/utils.go (1)

• NewContextWithCancel (36-40)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: build-router
• GitHub Check: integration_test (./events)
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: image_scan
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: build_test

🔇 Additional comments (31)

router/pkg/authentication/authentication.go (1)

82-82: LGTM: Clear error variable for algorithm validation.

The new error variable follows Go naming conventions and provides a clear message for when algorithms are not specified in JWKS configuration.

router/pkg/config/config.go (1)

486-486: LGTM: Well-implemented security control.

The new AllowInsecureJwksUrls field correctly implements a security-by-default approach:

• Clear, descriptive field name
• Defaults to false for security
• Proper YAML and environment variable tags
• Follows existing naming conventions

router/pkg/config/testdata/config_defaults.json (1)

237-238: LGTM: Consistent test configuration update.

The addition of "AllowInsecureJwksUrls": false correctly reflects the new configuration field with the expected default value and proper JSON formatting.

router/pkg/config/testdata/config_full.json (2)

513-514: LGTM: Consistent configuration update.

The addition of "AllowInsecureJwksUrls": false is consistent with the configuration structure changes and maintains the secure default.

---

487-495: JSON Schema permits null/empty JWKS algorithms
The JSON schema does not define any required or minItems constraint on the Algorithms or Algorithm properties, so null or empty values are valid by design. Runtime warnings in jwks_token_decoder.go handle missing algorithm values for backwards-compatibility rather than enforcing a hard validation rule.

• No schema-level enforcement of non-empty Algorithms/Algorithm was found in router/pkg/config/config.schema.json.
• Runtime logic issues only warnings when an algorithm is absent.
• The test entry in router/pkg/config/testdata/config_full.json (lines 487–495) remains consistent with these rules.

No changes required.

Likely an incorrect or invalid review comment.

router-tests/header_set_test.go (1)

268-268: LGTM! Test correctly updated for new function signature.

The addition of true as the allowInsecureJwksUrls parameter is appropriate for test environments where insecure URLs may be used for simplicity. This aligns with the broader security enhancement to prevent insecure JWKS URLs in production while maintaining test flexibility.

router-tests/ratelimit_test.go (1)

264-264: LGTM! Consistent test update for enhanced security.

The addition of true for the allowInsecureJwksUrls parameter maintains test functionality while adapting to the enhanced JWKS URL security validation. This is consistent with other test file updates in the PR.

router/core/supervisor_instance.go (1)

267-267: LGTM! Proper integration of security configuration.

The change correctly passes the jwtConf.AllowInsecureJwksUrls configuration value to the token decoder, enabling administrators to control JWKS URL security policy. This properly implements the security enhancement while maintaining configurability.

router-tests/websocket_test.go (1)

129-129: LGTM: Function calls correctly updated for new signature

All calls to authentication.NewJwksTokenDecoder have been properly updated to include the new allowInsecureJwksUrls parameter with true as the value. This is appropriate for test scenarios where:

1. Test environments often use insecure (HTTP) endpoints
2. Security restrictions that apply in production should not block test execution
3. The tests need to verify functionality regardless of URL scheme

The consistent pattern across all test cases ensures uniform behavior and aligns with the PR's objective of making HTTPS the default while providing an override mechanism.

Also applies to: 178-178, 227-227, 286-286, 344-344, 406-406, 455-455, 856-856

router/pkg/authentication/validation_store.go (2)

20-31: Security improvement: HMAC algorithms correctly removed

The removal of HMAC algorithms (HS256, HS384, HS512) from supportedAlgorithms aligns with the PR objective of preventing the use of symmetric keys as URLs. This is a security best practice as:

1. HMAC algorithms use symmetric keys that should not be exposed in JWKS URLs
2. Asymmetric algorithms (RS*, PS*, ES*, EdDSA) are more appropriate for JWKS-based JWT verification
3. This change enforces the use of public key cryptography for JWT validation

---

33-33: Well-implemented error handling for algorithm validation

The function signature change to return (jwkset.Storage, error) and the enforcement of explicit algorithm specification is a good security practice. The implementation correctly:

1. Returns errNoAlgorithmsSpecified when no algorithms are provided, preventing the creation of a store with all supported algorithms
2. Maintains the error-aware signature consistently throughout the function
3. Returns appropriate success/error states based on validation results

This change enforces explicit algorithm specification, which improves security by preventing overly permissive configurations.

Also applies to: 50-52, 63-63

router/pkg/config/config.schema.json (1)

1690-1694: Potentially breaking change – existing configs without algorithms will now fail

Requiring both "url" and "algorithms" ("required": ["url", "algorithms"]) hard-fails any previously valid configuration that only supplied a url.
Past learnings emphasised backward compatibility by preferring warnings over hard validation (see JWKS schema decisions in earlier PR #2067). Please double-check that:

1. All production configs already include algorithms, or
2. A migration path / version gate is in place, or
3. Runtime code gracefully handles validation failures and surfaces clear error messages.

If this risk hasn’t been evaluated, consider soft-deprecating the missing field first (e.g. via schema warning pattern or runtime warning) before enforcing it.

router-tests/utils.go (2)

22-34: Excellent security improvement by excluding HMAC algorithms.

The BaseJwksAlgorithms list correctly includes only asymmetric algorithms (RSA, ECDSA, RSA-PSS, EdDSA) and excludes HMAC algorithms, which aligns with the PR objective to prevent use of symmetric keys in JWKS configurations.

---

58-72: Good practice to use secure algorithms in test configurations.

The update to set AllowedAlgorithms: BaseJwksAlgorithms ensures that tests use the same secure algorithm list that would be used in production, providing better test coverage for the security restrictions.

router/pkg/authentication/jwks_token_decoder.go (4)

8-8: Necessary import for URL validation functionality.

The net/url import is correctly added to support the new JWKS URL scheme validation.

---

60-60: Well-designed function signature with clear security parameter.

The addition of allowInsecureJwksUrls bool parameter provides explicit control over URL security validation with a descriptive name that makes the security implications clear.

---

73-81: Excellent security validation implementation.

The URL validation logic is well-structured with proper error handling:

• Only enforces security when required (secure by default)
• Uses standard url.ParseRequestURI for robust URL validation
• Specifically validates HTTPS scheme requirement
• Provides clear, informative error messages

This effectively implements the PR objective to disallow HTTP URLs by default.

---

83-98: Improved error handling for validation store creation.

Moving the NewValidationStore call outside the struct initialization and adding explicit error handling is a good improvement. This ensures that algorithm validation errors are properly caught and reported, supporting the requirement for explicit algorithm specification.

router/pkg/config/config_test.go (3)

1205-1221: Good test coverage for secure default behavior.

The test correctly validates that:

• Algorithms must be explicitly specified in JWKS URL configurations
• The default AllowInsecureJwksUrls value is false (secure by default)
• Valid configurations with required fields load successfully

---

1223-1238: Essential validation test for algorithm requirement.

This test correctly validates that empty algorithms arrays are rejected with the appropriate error message, ensuring that JWKS configurations must explicitly specify allowed algorithms.

---

1240-1254: Comprehensive validation for missing algorithms field.

This test ensures that the algorithms field is required for URL configurations, complementing the empty array test to provide complete validation coverage for algorithm specification requirements.

router-tests/authentication_test.go (10)

693-704: LGTM!

The explicit specification of allowed algorithms enhances security by preventing algorithm confusion attacks.

---

804-812: LGTM!

Consistent implementation of explicit algorithm specification across multiple JWKS configurations.

---

855-855: LGTM!

Consistent addition of the boolean parameter for insecure URL allowance.

---

906-909: LGTM!

Proper implementation of explicit algorithm specification.

---

1217-1217: LGTM!

Proper error handling for the token decoder creation.

---

1235-1247: Good test coverage for algorithm validation.

The test properly verifies that algorithms must be explicitly specified, aligning with the PR's security objectives.

---

1350-1351: LGTM!

Proper error handling for OIDC discovery-based token decoder creation.

Also applies to: 1386-1387, 1404-1405

---

1463-1463: LGTM!

Proper error handling maintained.

---

1594-1595: LGTM!

Good use of the variadic parameter pattern for optional algorithm specification.

---

2009-2012: LGTM!

Consistent implementation of explicit algorithm specification across all audience validation tests.

Also applies to: 2094-2097, 2184-2187, 2270-2273, 2353-2356, 2395-2397

[SkArchon]

Discussed with @StarpTech, we will not do this change.