Improve JWT security by specifying the algorithm used, and also use shorter key names to make the code a little shorter

This commit is contained in:
Danielle McLean 2017-11-03 14:33:27 +11:00
parent 6b1cd896ea
commit 6f6bb4e534
Signed by untrusted user: 00dani
GPG key ID: 5A5D2D1AFF12EEC5
2 changed files with 11 additions and 11 deletions

View file

@ -11,17 +11,18 @@ def gen_auth_code(post):
code = {
'me': post['me'],
'client_id': post['client_id'],
'redirect_uri': post['redirect_uri'],
'response_type': post.get('response_type', 'id'),
'exp': datetime.utcnow() + timedelta(minutes=10),
'id': post['client_id'],
'uri': post['redirect_uri'],
'typ': post.get('response_type', 'id'),
'iat': datetime.utcnow(),
'exp': datetime.utcnow() + timedelta(seconds=30),
}
if 'scope' in post:
code['scope'] = ' '.join(post.getlist('scope'))
code['sco'] = ' '.join(post.getlist('scope'))
params['code'] = jwt.encode(code, settings.SECRET_KEY)
params['code'] = jwt.encode(code, settings.SECRET_KEY, algorithm='HS256')
return params
def verify_auth_code(c):
return jwt.decode(c, settings.SECRET_KEY)
return jwt.decode(c, settings.SECRET_KEY, algorithms=('HS256',))

View file

@ -73,7 +73,6 @@ class IndieView(TemplateView):
.get('rels', ()))
verified = 'redirect_uri' in rels
try:
app = client.to_dict(filter_by_type='h-x-app')[0]['properties']
except IndexError:
@ -98,13 +97,13 @@ class IndieView(TemplateView):
# out immediately.
return utils.forbid('invalid auth code')
if code['response_type'] != 'id':
if code['typ'] != 'id':
return utils.bad_req(
'this endpoint only supports response_type=id'
)
if post.get('client_id') != code['client_id']:
if code['id'] != post.get('client_id'):
return utils.forbid('client id did not match')
if post.get('redirect_uri') != code['redirect_uri']:
if code['uri'] != post.get('redirect_uri'):
return utils.forbid('redirect uri did not match')
# If we got here, it's valid! Yay!