forked from 00dani/lemoncurry
Improve JWT security by specifying the algorithm used, and also use shorter key names to make the code a little shorter
This commit is contained in:
parent
6b1cd896ea
commit
6f6bb4e534
2 changed files with 11 additions and 11 deletions
|
@ -11,17 +11,18 @@ def gen_auth_code(post):
|
|||
|
||||
code = {
|
||||
'me': post['me'],
|
||||
'client_id': post['client_id'],
|
||||
'redirect_uri': post['redirect_uri'],
|
||||
'response_type': post.get('response_type', 'id'),
|
||||
'exp': datetime.utcnow() + timedelta(minutes=10),
|
||||
'id': post['client_id'],
|
||||
'uri': post['redirect_uri'],
|
||||
'typ': post.get('response_type', 'id'),
|
||||
'iat': datetime.utcnow(),
|
||||
'exp': datetime.utcnow() + timedelta(seconds=30),
|
||||
}
|
||||
if 'scope' in post:
|
||||
code['scope'] = ' '.join(post.getlist('scope'))
|
||||
code['sco'] = ' '.join(post.getlist('scope'))
|
||||
|
||||
params['code'] = jwt.encode(code, settings.SECRET_KEY)
|
||||
params['code'] = jwt.encode(code, settings.SECRET_KEY, algorithm='HS256')
|
||||
return params
|
||||
|
||||
|
||||
def verify_auth_code(c):
|
||||
return jwt.decode(c, settings.SECRET_KEY)
|
||||
return jwt.decode(c, settings.SECRET_KEY, algorithms=('HS256',))
|
||||
|
|
|
@ -73,7 +73,6 @@ class IndieView(TemplateView):
|
|||
.get('rels', ()))
|
||||
verified = 'redirect_uri' in rels
|
||||
|
||||
|
||||
try:
|
||||
app = client.to_dict(filter_by_type='h-x-app')[0]['properties']
|
||||
except IndexError:
|
||||
|
@ -98,13 +97,13 @@ class IndieView(TemplateView):
|
|||
# out immediately.
|
||||
return utils.forbid('invalid auth code')
|
||||
|
||||
if code['response_type'] != 'id':
|
||||
if code['typ'] != 'id':
|
||||
return utils.bad_req(
|
||||
'this endpoint only supports response_type=id'
|
||||
)
|
||||
if post.get('client_id') != code['client_id']:
|
||||
if code['id'] != post.get('client_id'):
|
||||
return utils.forbid('client id did not match')
|
||||
if post.get('redirect_uri') != code['redirect_uri']:
|
||||
if code['uri'] != post.get('redirect_uri'):
|
||||
return utils.forbid('redirect uri did not match')
|
||||
|
||||
# If we got here, it's valid! Yay!
|
||||
|
|
Loading…
Reference in a new issue