Jake Moshenko
parent
5029ab62f6
commit
9c3ddf846f
7 changed files with 290 additions and 35 deletions
|
|
@ -2,7 +2,6 @@ import logging
|
|||
import json
|
||||
import os
|
||||
|
||||
from datetime import datetime, timedelta
|
||||
from data.users.federated import FederatedUsers, VerifiedCredentials
|
||||
from util.security import strictjwt
|
||||
|
||||
|
|
@ -46,9 +45,11 @@ class ExternalJWTAuthN(FederatedUsers):
|
|||
|
||||
# Load the JWT returned.
|
||||
encoded = result_data.get('token', '')
|
||||
exp_limit_options = strictjwt.exp_max_s_option(self.max_fresh_s)
|
||||
try:
|
||||
payload = strictjwt.decode(encoded, self.public_key, algorithms=['RS256'],
|
||||
audience='quay.io/jwtauthn', issuer=self.issuer)
|
||||
audience='quay.io/jwtauthn', issuer=self.issuer,
|
||||
options=exp_limit_options)
|
||||
except strictjwt.InvalidTokenError:
|
||||
logger.exception('Exception when decoding returned JWT')
|
||||
return (None, 'Invalid username or password')
|
||||
|
|
@ -59,16 +60,6 @@ class ExternalJWTAuthN(FederatedUsers):
|
|||
if not 'email' in payload:
|
||||
raise Exception('Missing email field in JWT')
|
||||
|
||||
if not 'exp' in payload:
|
||||
raise Exception('Missing exp field in JWT')
|
||||
|
||||
# Verify that the expiration is no more than self.max_fresh_s seconds in the future.
|
||||
expiration = datetime.utcfromtimestamp(payload['exp'])
|
||||
if expiration > datetime.utcnow() + timedelta(seconds=self.max_fresh_s):
|
||||
logger.debug('Payload expiration is outside of the %s second window: %s', self.max_fresh_s,
|
||||
payload['exp'])
|
||||
return (None, 'Invalid username or password')
|
||||
|
||||
# Parse out the username and email.
|
||||
return (VerifiedCredentials(username=payload['sub'], email=payload['email']), None)
|
||||
|
||||
|
|
|
|||
Reference in a new issue