Improve JWT security by specifying the algorithm used, and also use shorter key names to make the code a little shorter

2017-11-03 14:33:27 +11:00 · 2017-11-03 14:33:27 +11:00 · 6f6bb4e534
commit 6f6bb4e534
parent 6b1cd896ea
2 changed files with 11 additions and 11 deletions
--- a/lemonauth/tokens.py
+++ b/lemonauth/tokens.py
@ -11,17 +11,18 @@ def gen_auth_code(post):

    code = {
        'me': post['me'],
-        'client_id': post['client_id'],
-        'redirect_uri': post['redirect_uri'],
-        'response_type': post.get('response_type', 'id'),
-        'exp': datetime.utcnow() + timedelta(minutes=10),
+        'id': post['client_id'],
+        'uri': post['redirect_uri'],
+        'typ': post.get('response_type', 'id'),
+        'iat': datetime.utcnow(),
+        'exp': datetime.utcnow() + timedelta(seconds=30),
    }
    if 'scope' in post:
-        code['scope'] = ' '.join(post.getlist('scope'))
+        code['sco'] = ' '.join(post.getlist('scope'))

-    params['code'] = jwt.encode(code, settings.SECRET_KEY)
+    params['code'] = jwt.encode(code, settings.SECRET_KEY, algorithm='HS256')
    return params


 def verify_auth_code(c):
-    return jwt.decode(c, settings.SECRET_KEY)
+    return jwt.decode(c, settings.SECRET_KEY, algorithms=('HS256',))
--- a/lemonauth/views/indie.py
+++ b/lemonauth/views/indie.py
@ -73,7 +73,6 @@ class IndieView(TemplateView):
                .get('rels', ()))
        verified = 'redirect_uri' in rels

-
        try:
            app = client.to_dict(filter_by_type='h-x-app')[0]['properties']
        except IndexError:
@ -98,13 +97,13 @@ class IndieView(TemplateView):
            # out immediately.
            return utils.forbid('invalid auth code')

-        if code['response_type'] != 'id':
+        if code['typ'] != 'id':
            return utils.bad_req(
                'this endpoint only supports response_type=id'
            )
-        if post.get('client_id') != code['client_id']:
+        if code['id'] != post.get('client_id'):
            return utils.forbid('client id did not match')
-        if post.get('redirect_uri') != code['redirect_uri']:
+        if code['uri'] != post.get('redirect_uri'):
            return utils.forbid('redirect uri did not match')

        # If we got here, it's valid! Yay!