From 6e6beab91448f4f720bcae8957e48d50b2f22703 Mon Sep 17 00:00:00 2001
From: jake-dog <jake-dog@users.noreply.github.com>
Date: Tue, 13 May 2025 21:10:24 -0400
Subject: [PATCH] adhere to jwt/v4 security recommendation: "validate the alg
 presented is what you expect"

---
 http/auth.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/http/auth.go b/http/auth.go
index 1f8e3bac..6d3bc78e 100644
--- a/http/auth.go
+++ b/http/auth.go
@@ -87,7 +87,8 @@ func withUser(fn handleFunc) handleFunc {
 		}
 
 		var tk authToken
-		token, err := request.ParseFromRequest(r, &extractor{}, keyFunc, request.WithClaims(&tk))
+		p := jwt.NewParser(jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Alg()}))
+		token, err := request.ParseFromRequest(r, &extractor{}, keyFunc, request.WithClaims(&tk), request.WithParser(p))
 
 		if (err != nil || !token.Valid) && !renewableErr(err, d) {
 			return http.StatusUnauthorized, nil