Reject empty secret on HTTP handler. Use KeyRegister with empty entry…

… if you need to.
pascaldekloe · Mar 11, 2019 · 5046a87 · 5046a87
1 parent d99818e
commit 5046a87
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/web.go b/web.go
@@ -144,13 +144,12 @@ type Handler struct {
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// verify claims
 	var claims *Claims
-	var err error
+	err := ErrAlgUnk
 	if h.Keys != nil {
 		claims, err = h.Keys.CheckHeader(r)
-	} else if h.ECDSAKey == nil && h.RSAKey == nil {
+	} else if h.ECDSAKey == nil && h.RSAKey == nil && len(h.Secret) != 0 {
 		claims, err = HMACCheckHeader(r, h.Secret)
 	} else {
-		err = ErrAlgUnk
 		if h.RSAKey != nil {
 			claims, err = RSACheckHeader(r, h.RSAKey)
 		}