From 3f9e930748af4714a4e1ff58fc5aa8b382fa1515 Mon Sep 17 00:00:00 2001 From: Jon Bergli Heier Date: Sun, 15 Aug 2021 12:43:41 +0200 Subject: Add algorithms to jwt.decode calls --- fbin/api.py | 3 ++- fbin/fbin.py | 8 +++++--- fbin/login.py | 9 ++++++--- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/fbin/api.py b/fbin/api.py index 5659b3a..dc7e1f8 100644 --- a/fbin/api.py +++ b/fbin/api.py @@ -31,7 +31,8 @@ def authenticate(): if scheme != 'Bearer': abort(400) try: - token = jwt.decode(token, current_app.config['SECRET_KEY'], issuer=request.url_root) + token = jwt.decode(token, current_app.config['SECRET_KEY'], issuer=request.url_root, + algorithms=[current_app.config['API_JWT_ALGORITHM']]) except jwt.InvalidTokenError: abort(403) try: diff --git a/fbin/fbin.py b/fbin/fbin.py index b062c9a..d0a5a9a 100755 --- a/fbin/fbin.py +++ b/fbin/fbin.py @@ -253,9 +253,11 @@ def auth(): return redirect(url_for('.index')) try: jwt.decode(token['access_token'], key=current_app.config['JWT_PUBLIC_KEY'], - audience=current_app.config['OAUTH_CLIENT_ID']) + audience=current_app.config['OAUTH_CLIENT_ID'], + algorithms=[current_app.config['OAUTH_JWT_ALGORITHM']]) jwt.decode(token['refresh_token'], key=current_app.config['JWT_PUBLIC_KEY'], - audience=current_app.config['OAUTH_CLIENT_ID']) + audience=current_app.config['OAUTH_CLIENT_ID'], + algorithms=[current_app.config['OAUTH_JWT_ALGORITHM']]) except jwt.InvalidTokenError as e: flash('Failed to verify token: {!s}'.format(e), 'error') return redirect(url_for('.index')) @@ -414,7 +416,7 @@ def generate_api_key(): 'nbf': now, 'sub': user_id, } - token = jwt.encode(data, current_app.config['SECRET_KEY']) + token = jwt.encode(data, current_app.config['SECRET_KEY'], algorithm=current_app.config['API_JWT_ALGORITHM']) return token diff --git a/fbin/login.py b/fbin/login.py index 00f969d..b4b62d0 100644 --- a/fbin/login.py +++ b/fbin/login.py @@ -35,9 +35,11 @@ class BinUser: return try: jwt.decode(token['access_token'], key=current_app.config['JWT_PUBLIC_KEY'], - audience=current_app.config['OAUTH_CLIENT_ID']) + audience=current_app.config['OAUTH_CLIENT_ID'], + algorithms=[current_app.config['OAUTH_JWT_ALGORITHM']]) jwt.decode(token['refresh_token'], key=current_app.config['JWT_PUBLIC_KEY'], - audience=current_app.config['OAUTH_CLIENT_ID']) + audience=current_app.config['OAUTH_CLIENT_ID'], + algorithms=[current_app.config['OAUTH_JWT_ALGORITHM']]) except jwt.InvalidTokenError: traceback.print_exc() flash('Failed to refresh authentication token (verification failed)', 'error') @@ -57,7 +59,8 @@ class BinUser: return True try: self.token = jwt.decode(self.user_session.access_token, key=current_app.config['JWT_PUBLIC_KEY'], - audience=current_app.config['OAUTH_CLIENT_ID']) + audience=current_app.config['OAUTH_CLIENT_ID'], + algorithms=[current_app.config['OAUTH_JWT_ALGORITHM']]) except jwt.ExpiredSignatureError: try: if not self.refresh_access_token(): -- cgit v1.2.3