From d554cdeb64ab89737e1b564adf0700a5840a5d42 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Mon, 12 Jan 2026 12:52:19 -0800
Subject: [PATCH] Fix security vulnerability and improve test error handling

---
 weed/server/filer_jwt_test.go        |  5 ++-
 weed/server/filer_server_handlers.go | 50 +++++++++++++++-------------
 2 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/weed/server/filer_jwt_test.go b/weed/server/filer_jwt_test.go
index 565289b8b..d581691ea 100644
--- a/weed/server/filer_jwt_test.go
+++ b/weed/server/filer_jwt_test.go
@@ -26,7 +26,10 @@ func TestFilerServer_maybeCheckJwtAuthorization_Scoped(t *testing.T) {
 			},
 		}
 		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-		str, _ := token.SignedString([]byte(signingKey))
+		str, err := token.SignedString([]byte(signingKey))
+		if err != nil {
+			panic(err)
+		}
 		return str
 	}
 
diff --git a/weed/server/filer_server_handlers.go b/weed/server/filer_server_handlers.go
index d7214ccaa..3813537d1 100644
--- a/weed/server/filer_server_handlers.go
+++ b/weed/server/filer_server_handlers.go
@@ -244,33 +244,37 @@ func (fs *FilerServer) maybeCheckJwtAuthorization(r *http.Request, isWrite bool)
 		return false
 	}
 
-	if claims, ok := token.Claims.(*security.SeaweedFilerClaims); ok {
-		if len(claims.AllowedPrefixes) > 0 {
-			hasPrefix := false
-			for _, prefix := range claims.AllowedPrefixes {
-				if strings.HasPrefix(r.URL.Path, prefix) {
-					hasPrefix = true
-					break
-				}
-			}
-			if !hasPrefix {
-				glog.V(1).Infof("jwt path not allowed from %s: %v", r.RemoteAddr, r.URL.Path)
-				return false
+	claims, ok := token.Claims.(*security.SeaweedFilerClaims)
+	if !ok {
+		glog.V(1).Infof("jwt claims not of type *SeaweedFilerClaims from %s", r.RemoteAddr)
+		return false
+	}
+
+	if len(claims.AllowedPrefixes) > 0 {
+		hasPrefix := false
+		for _, prefix := range claims.AllowedPrefixes {
+			if strings.HasPrefix(r.URL.Path, prefix) {
+				hasPrefix = true
+				break
 			}
 		}
-		if len(claims.AllowedMethods) > 0 {
-			hasMethod := false
-			for _, method := range claims.AllowedMethods {
-				if method == r.Method {
-					hasMethod = true
-					break
-				}
-			}
-			if !hasMethod {
-				glog.V(1).Infof("jwt method not allowed from %s: %v", r.RemoteAddr, r.Method)
-				return false
+		if !hasPrefix {
+			glog.V(1).Infof("jwt path not allowed from %s: %v", r.RemoteAddr, r.URL.Path)
+			return false
+		}
+	}
+	if len(claims.AllowedMethods) > 0 {
+		hasMethod := false
+		for _, method := range claims.AllowedMethods {
+			if method == r.Method {
+				hasMethod = true
+				break
 			}
 		}
+		if !hasMethod {
+			glog.V(1).Infof("jwt method not allowed from %s: %v", r.RemoteAddr, r.Method)
+			return false
+		}
 	}
 
 	return true