Improve JWT security by specifying the algorithm used, and also use shorter key names to make the code a little shorter
This commit is contained in:
parent
6b1cd896ea
commit
6f6bb4e534
2 changed files with 11 additions and 11 deletions
|
@ -11,17 +11,18 @@ def gen_auth_code(post):
|
||||||
|
|
||||||
code = {
|
code = {
|
||||||
'me': post['me'],
|
'me': post['me'],
|
||||||
'client_id': post['client_id'],
|
'id': post['client_id'],
|
||||||
'redirect_uri': post['redirect_uri'],
|
'uri': post['redirect_uri'],
|
||||||
'response_type': post.get('response_type', 'id'),
|
'typ': post.get('response_type', 'id'),
|
||||||
'exp': datetime.utcnow() + timedelta(minutes=10),
|
'iat': datetime.utcnow(),
|
||||||
|
'exp': datetime.utcnow() + timedelta(seconds=30),
|
||||||
}
|
}
|
||||||
if 'scope' in post:
|
if 'scope' in post:
|
||||||
code['scope'] = ' '.join(post.getlist('scope'))
|
code['sco'] = ' '.join(post.getlist('scope'))
|
||||||
|
|
||||||
params['code'] = jwt.encode(code, settings.SECRET_KEY)
|
params['code'] = jwt.encode(code, settings.SECRET_KEY, algorithm='HS256')
|
||||||
return params
|
return params
|
||||||
|
|
||||||
|
|
||||||
def verify_auth_code(c):
|
def verify_auth_code(c):
|
||||||
return jwt.decode(c, settings.SECRET_KEY)
|
return jwt.decode(c, settings.SECRET_KEY, algorithms=('HS256',))
|
||||||
|
|
|
@ -73,7 +73,6 @@ class IndieView(TemplateView):
|
||||||
.get('rels', ()))
|
.get('rels', ()))
|
||||||
verified = 'redirect_uri' in rels
|
verified = 'redirect_uri' in rels
|
||||||
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
app = client.to_dict(filter_by_type='h-x-app')[0]['properties']
|
app = client.to_dict(filter_by_type='h-x-app')[0]['properties']
|
||||||
except IndexError:
|
except IndexError:
|
||||||
|
@ -98,13 +97,13 @@ class IndieView(TemplateView):
|
||||||
# out immediately.
|
# out immediately.
|
||||||
return utils.forbid('invalid auth code')
|
return utils.forbid('invalid auth code')
|
||||||
|
|
||||||
if code['response_type'] != 'id':
|
if code['typ'] != 'id':
|
||||||
return utils.bad_req(
|
return utils.bad_req(
|
||||||
'this endpoint only supports response_type=id'
|
'this endpoint only supports response_type=id'
|
||||||
)
|
)
|
||||||
if post.get('client_id') != code['client_id']:
|
if code['id'] != post.get('client_id'):
|
||||||
return utils.forbid('client id did not match')
|
return utils.forbid('client id did not match')
|
||||||
if post.get('redirect_uri') != code['redirect_uri']:
|
if code['uri'] != post.get('redirect_uri'):
|
||||||
return utils.forbid('redirect uri did not match')
|
return utils.forbid('redirect uri did not match')
|
||||||
|
|
||||||
# If we got here, it's valid! Yay!
|
# If we got here, it's valid! Yay!
|
||||||
|
|
Loading…
Reference in a new issue