From db75ba4357d80c38fbe4b4473c738fa2f8e0bcac Mon Sep 17 00:00:00 2001
From: sigoden <sigoden@gmail.com>
Date: Tue, 2 Sep 2025 18:48:17 +0800
Subject: [PATCH] fix: verify token length (#627)

---
 src/auth.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/auth.rs b/src/auth.rs
index 6457391..9a01fd6 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -173,6 +173,10 @@ impl AccessControl {
     fn verify_token<'a>(&'a self, token: &str, path: &str) -> Result<(String, &'a AccessPaths)> {
         let raw = hex::decode(token)?;
 
+        if raw.len() < 72 {
+            bail!("Invalid token");
+        }
+
         let sig_bytes = &raw[..64];
         let exp_bytes = &raw[64..72];
         let user_bytes = &raw[72..];