From 9350041d76f066e1c8bc42dec4f42e421137c2bb Mon Sep 17 00:00:00 2001
From: Daisie Huang <daisieh@gmail.com>
Date: Mon, 15 May 2023 11:26:41 -0700
Subject: [PATCH] fix var safety issue

---
 permissions_engine/authz.rego | 6 ++++--
 permissions_engine/idp.rego   | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/permissions_engine/authz.rego b/permissions_engine/authz.rego
index a8cb520..46eb274 100644
--- a/permissions_engine/authz.rego
+++ b/permissions_engine/authz.rego
@@ -56,11 +56,13 @@ allow {
 
 decode_verify_token_output[issuer] := output {
     some i
+    issuer := data.keys[i].iss
+    cert := data.keys[i].cert
     output := io.jwt.decode_verify(     # Decode and verify in one-step
         input.identity,
         {                         # With the supplied constraints:
-            "cert": data.keys[i].cert,
-            "iss": data.keys[i].iss,
+            "cert": cert,
+            "iss": issuer,
             "aud": "CLIENT_ID"
         }
     )
diff --git a/permissions_engine/idp.rego b/permissions_engine/idp.rego
index 2611928..80c525e 100644
--- a/permissions_engine/idp.rego
+++ b/permissions_engine/idp.rego
@@ -6,11 +6,13 @@ package idp
 #
 decode_verify_token_output[issuer] := output {
     some i
+    issuer := data.keys[i].iss
+    cert := data.keys[i].cert
     output := io.jwt.decode_verify(     # Decode and verify in one-step
         input.token,
         {                         # With the supplied constraints:
-            "cert": data.keys[i].cert,
-            "iss": data.keys[i].iss,
+            "cert": cert,
+            "iss": issuer,
             "aud": "CLIENT_ID"
         }
     )