From 6f6bb4e5344c3e7c78383fb43c45632ec24478d9 Mon Sep 17 00:00:00 2001 From: Danielle McLean Date: Fri, 3 Nov 2017 14:33:27 +1100 Subject: [PATCH] Improve JWT security by specifying the algorithm used, and also use shorter key names to make the code a little shorter --- lemonauth/tokens.py | 15 ++++++++------- lemonauth/views/indie.py | 7 +++---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/lemonauth/tokens.py b/lemonauth/tokens.py index fd04906..88b349b 100644 --- a/lemonauth/tokens.py +++ b/lemonauth/tokens.py @@ -11,17 +11,18 @@ def gen_auth_code(post): code = { 'me': post['me'], - 'client_id': post['client_id'], - 'redirect_uri': post['redirect_uri'], - 'response_type': post.get('response_type', 'id'), - 'exp': datetime.utcnow() + timedelta(minutes=10), + 'id': post['client_id'], + 'uri': post['redirect_uri'], + 'typ': post.get('response_type', 'id'), + 'iat': datetime.utcnow(), + 'exp': datetime.utcnow() + timedelta(seconds=30), } if 'scope' in post: - code['scope'] = ' '.join(post.getlist('scope')) + code['sco'] = ' '.join(post.getlist('scope')) - params['code'] = jwt.encode(code, settings.SECRET_KEY) + params['code'] = jwt.encode(code, settings.SECRET_KEY, algorithm='HS256') return params def verify_auth_code(c): - return jwt.decode(c, settings.SECRET_KEY) + return jwt.decode(c, settings.SECRET_KEY, algorithms=('HS256',)) diff --git a/lemonauth/views/indie.py b/lemonauth/views/indie.py index 32d83ce..e78c6ad 100644 --- a/lemonauth/views/indie.py +++ b/lemonauth/views/indie.py @@ -73,7 +73,6 @@ class IndieView(TemplateView): .get('rels', ())) verified = 'redirect_uri' in rels - try: app = client.to_dict(filter_by_type='h-x-app')[0]['properties'] except IndexError: @@ -98,13 +97,13 @@ class IndieView(TemplateView): # out immediately. return utils.forbid('invalid auth code') - if code['response_type'] != 'id': + if code['typ'] != 'id': return utils.bad_req( 'this endpoint only supports response_type=id' ) - if post.get('client_id') != code['client_id']: + if code['id'] != post.get('client_id'): return utils.forbid('client id did not match') - if post.get('redirect_uri') != code['redirect_uri']: + if code['uri'] != post.get('redirect_uri'): return utils.forbid('redirect uri did not match') # If we got here, it's valid! Yay!