BenLubar/lemoncurry
1
0
Fork 0
forked from 00dani/lemoncurry
Code Issues Pull requests Releases Wiki Activity

Improve JWT security by specifying the algorithm used, and also use shorter key names to make the code a little shorter

Browse source
This commit is contained in:
Danielle McLean 2017-11-03 14:33:27 +11:00
parent 6b1cd896ea
commit 6f6bb4e534
Signed by untrusted user: 00dani
GPG key ID: 5A5D2D1AFF12EEC5
2 changed files with 11 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
lemonauth/tokens.py
View file

@ -11,17 +11,18 @@ def gen_auth_code(post):
code = { code = {
'me': post['me'], 'me': post['me'],
'client_id': post['client_id'], 'id': post['client_id'],
'redirect_uri': post['redirect_uri'], 'uri': post['redirect_uri'],
'response_type': post.get('response_type', 'id'), 'typ': post.get('response_type', 'id'),
'exp': datetime.utcnow() + timedelta(minutes=10), 'iat': datetime.utcnow(),
'exp': datetime.utcnow() + timedelta(seconds=30),
} }
if 'scope' in post: if 'scope' in post:
code['scope'] = ' '.join(post.getlist('scope')) code['sco'] = ' '.join(post.getlist('scope'))
params['code'] = jwt.encode(code, settings.SECRET_KEY) params['code'] = jwt.encode(code, settings.SECRET_KEY, algorithm='HS256')
return params return params
def verify_auth_code(c): def verify_auth_code(c):
return jwt.decode(c, settings.SECRET_KEY) return jwt.decode(c, settings.SECRET_KEY, algorithms=('HS256',))

7
lemonauth/views/indie.py
View file

@ -73,7 +73,6 @@ class IndieView(TemplateView):
.get('rels', ())) .get('rels', ()))
verified = 'redirect_uri' in rels verified = 'redirect_uri' in rels
try: try:
app = client.to_dict(filter_by_type='h-x-app')[0]['properties'] app = client.to_dict(filter_by_type='h-x-app')[0]['properties']
except IndexError: except IndexError:
@ -98,13 +97,13 @@ class IndieView(TemplateView):
# out immediately. # out immediately.
return utils.forbid('invalid auth code') return utils.forbid('invalid auth code')
if code['response_type'] != 'id': if code['typ'] != 'id':
return utils.bad_req( return utils.bad_req(
'this endpoint only supports response_type=id' 'this endpoint only supports response_type=id'
) )
if post.get('client_id') != code['client_id']: if code['id'] != post.get('client_id'):
return utils.forbid('client id did not match') return utils.forbid('client id did not match')
if post.get('redirect_uri') != code['redirect_uri']: if code['uri'] != post.get('redirect_uri'):
return utils.forbid('redirect uri did not match') return utils.forbid('redirect uri did not match')
# If we got here, it's valid! Yay! # If we got here, it's valid! Yay!