fix: jwt token signed verification

Author: mklos-kw

services/collaboration/pkg/middleware/wopicontext.go

@@ -198,8 +198,14 @@ func GenerateWopiToken(wopiContext WopiContext, cfg *config.Config, st microstor
 	}
 
 	cs3Claims := &jwt.RegisteredClaims{}
-	cs3JWTparser := jwt.Parser{}
-	_, _, err = cs3JWTparser.ParseUnverified(wopiContext.AccessToken, cs3Claims)
+	_, err = jwt.ParseWithClaims(wopiContext.AccessToken, cs3Claims, func(token *jwt.Token) (interface{}, error) {
+
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+
+		return []byte(cfg.Wopi.Secret), nil
+	})
 	if err != nil {
 		return "", 0, err
 	}