From a24e9983fbac4e71693ffe0cc9d01593a3bb1ae4 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Wed, 29 Oct 2025 14:01:36 +0800
Subject: [PATCH] validator: reject multi-sig JWS to ensure alg check matches
 verified signature

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
---
 validator/validator.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/validator/validator.go b/validator/validator.go
index 2a302493..5241e7a8 100644
--- a/validator/validator.go
+++ b/validator/validator.go
@@ -99,6 +99,10 @@ func (v *Validator) ValidateToken(ctx context.Context, tokenString string) (inte
 		return nil, fmt.Errorf("could not parse the token: %w", err)
 	}
 
+	if len(token.Headers) != 1 {
+		return nil, fmt.Errorf("unsupported token: expected exactly one signature, got %d", len(token.Headers))
+	}
+
 	if err = validateSigningMethod(string(v.signatureAlgorithm), token.Headers[0].Algorithm); err != nil {
 		return nil, fmt.Errorf("signing method is invalid: %w", err)
 	}