From d5af089f673140c754494c828f7441f36d4f7d74 Mon Sep 17 00:00:00 2001
From: Jon Bergli Heier <snakebite@jvnv.net>
Date: Sun, 15 Aug 2021 13:08:36 +0200
Subject: Add algorithms parameter to jwt.decode calls

---
 unmess/api.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/unmess/api.py b/unmess/api.py
index 57e1349..150942d 100644
--- a/unmess/api.py
+++ b/unmess/api.py
@@ -61,7 +61,8 @@ def auth_required(f):
             abort(403)
         try:
             token = jwt.decode(access_token, key=current_app.config['JWT_PUBLIC_KEY'],
-                    audience=current_app.config['OAUTH_CLIENT_ID'])
+                    audience=current_app.config['OAUTH_CLIENT_ID'],
+                    algorithms=[current_app.config['OAUTH_JWT_ALGORITHM']])
         except jwt.InvalidTokenError:
             abort(403)
         user_id = ObjectId(token['sub'])
@@ -260,7 +261,8 @@ def auth_response():
         abort(500, error)
 
     token_data = jwt.decode(token['access_token'], key=current_app.config['JWT_PUBLIC_KEY'],
-            audience=current_app.config['OAUTH_CLIENT_ID'])
+            audience=current_app.config['OAUTH_CLIENT_ID'],
+            algorithms=[current_app.config['OAUTH_JWT_ALGORITHM']])
     # We're assuming sub is an ObjectId (this is true for jab)
     user_id = ObjectId(token_data['sub'])
     user = mongo.db.users.find_one({'_id': user_id})
-- 
cgit v1.2.3