From d5af089f673140c754494c828f7441f36d4f7d74 Mon Sep 17 00:00:00 2001 From: Jon Bergli Heier Date: Sun, 15 Aug 2021 13:08:36 +0200 Subject: Add algorithms parameter to jwt.decode calls --- unmess/api.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/unmess/api.py b/unmess/api.py index 57e1349..150942d 100644 --- a/unmess/api.py +++ b/unmess/api.py @@ -61,7 +61,8 @@ def auth_required(f): abort(403) try: token = jwt.decode(access_token, key=current_app.config['JWT_PUBLIC_KEY'], - audience=current_app.config['OAUTH_CLIENT_ID']) + audience=current_app.config['OAUTH_CLIENT_ID'], + algorithms=[current_app.config['OAUTH_JWT_ALGORITHM']]) except jwt.InvalidTokenError: abort(403) user_id = ObjectId(token['sub']) @@ -260,7 +261,8 @@ def auth_response(): abort(500, error) token_data = jwt.decode(token['access_token'], key=current_app.config['JWT_PUBLIC_KEY'], - audience=current_app.config['OAUTH_CLIENT_ID']) + audience=current_app.config['OAUTH_CLIENT_ID'], + algorithms=[current_app.config['OAUTH_JWT_ALGORITHM']]) # We're assuming sub is an ObjectId (this is true for jab) user_id = ObjectId(token_data['sub']) user = mongo.db.users.find_one({'_id': user_id}) -- cgit v1.2.3