Make our JWT checking more strict.

2015-09-04 11:29:22 -04:00 · 2015-09-04 11:29:22 -04:00 · 82efc746b3
commit 82efc746b3
parent 0823ba5c46
4 changed files with 34 additions and 14 deletions
--- a/auth/jwt_auth.py
+++ b/auth/jwt_auth.py
@ -1,5 +1,4 @@
 import logging
-import jwt
 import re

 from datetime import datetime, timedelta
@ -11,10 +10,11 @@ from cryptography.hazmat.backends import default_backend
 from cachetools import lru_cache

 from app import app
-from auth_context import set_grant_user_context
-from permissions import repository_read_grant, repository_write_grant
+from .auth_context import set_grant_user_context
+from .permissions import repository_read_grant, repository_write_grant
 from util.names import parse_namespace_repository
 from util.http import abort
+from util.security import strictjwt


 logger = logging.getLogger(__name__)
@ -44,17 +44,14 @@ def identity_from_bearer_token(bearer_token, max_signed_s, public_key):

  # Load the JWT returned.
  try:
-    payload = jwt.decode(encoded, public_key, algorithms=['RS256'], audience='quay',
-                         issuer='token-issuer')
-  except jwt.InvalidTokenError:
+    payload = strictjwt.decode(encoded, public_key, algorithms=['RS256'], audience='quay',
+                               issuer='token-issuer')
+  except strictjwt.InvalidTokenError:
    raise InvalidJWTException('Invalid token')

  if not 'sub' in payload:
    raise InvalidJWTException('Missing sub field in JWT')

-  if not 'exp' in payload:
-    raise InvalidJWTException('Missing exp field in JWT')
-
  # Verify that the expiration is no more than 300 seconds in the future.
  if datetime.fromtimestamp(payload['exp']) > datetime.utcnow() + timedelta(seconds=max_signed_s):
    raise InvalidJWTException('Token was signed for more than %s seconds' % max_signed_s)