diff --git a/src/corbado_python_sdk/services/implementation/session_service.py b/src/corbado_python_sdk/services/implementation/session_service.py index f752ba5..7db7a04 100644 --- a/src/corbado_python_sdk/services/implementation/session_service.py +++ b/src/corbado_python_sdk/services/implementation/session_service.py @@ -2,6 +2,7 @@ from jwt import ( ExpiredSignatureError, ImmatureSignatureError, + InvalidAlgorithmError, InvalidSignatureError, decode, ) @@ -16,6 +17,7 @@ ) DEFAULT_SESSION_TOKEN_LENGTH = 300 +ALLOWED_ALGS = {"RS256"} class SessionService(BaseModel): @@ -90,7 +92,7 @@ def validate_token(self, session_token: StrictStr) -> UserEntity: # decode short session (jwt) with signing key try: - payload = decode(jwt=session_token, key=signing_key.key, algorithms=["RS256"]) + payload = decode(jwt=session_token, key=signing_key.key, algorithms=list(ALLOWED_ALGS)) # extract information from decoded payload token_issuer: str = payload.get("iss") @@ -104,15 +106,21 @@ def validate_token(self, session_token: StrictStr) -> UserEntity: ) except ExpiredSignatureError as error: raise TokenValidationException( - error_type=ValidationErrorType.CODE_JWT_INVALID_SIGNATURE, - message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_INVALID_SIGNATURE.value}", + error_type=ValidationErrorType.CODE_JWT_EXPIRED, + message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_EXPIRED.value}", original_exception=error, ) except InvalidSignatureError as error: raise TokenValidationException( - error_type=ValidationErrorType.CODE_JWT_EXPIRED, - message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_EXPIRED.value}", + error_type=ValidationErrorType.CODE_JWT_INVALID_SIGNATURE, + message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_INVALID_SIGNATURE.value}", + original_exception=error, + ) + except InvalidAlgorithmError as error: + raise TokenValidationException( + error_type=ValidationErrorType.CODE_JWT_INVALID_SIGNATURE, + message="Algorithm not allowed", original_exception=error, ) diff --git a/tests/unit/test_session_service.py b/tests/unit/test_session_service.py index 6c8122e..6a001d5 100644 --- a/tests/unit/test_session_service.py +++ b/tests/unit/test_session_service.py @@ -8,6 +8,7 @@ DecodeError, ExpiredSignatureError, ImmatureSignatureError, + InvalidAlgorithmError, InvalidSignatureError, PyJWKClientError, encode, @@ -126,8 +127,10 @@ def _provide_jwts(self): # JWT signed with wrong algorithm (HS256 instead of RS256) ( False, - """eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6 - IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.dyt0CoTl4WoVjAHI9Q_CwSKhl6d_9rhM3NrXuJttkao""", + ( + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6" + "IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.dyt0CoTl4WoVjAHI9Q_CwSKhl6d_9rhM3NrXuJttkao" + ), PyJWKClientError, 'Unable to find a signing key that matches: "None"', ), @@ -179,6 +182,14 @@ def _provide_jwts(self): None, None, ), + # Disallowed algorithm "none" + ( + False, + "eyJhbGciOiAibm9uZSIsICJ0eXAiOiAiSldUIiwgImtpZCI6ICJraWQxMjMifQ.eyJpc3MiOiAiaHR0cHM6" + "Ly9hdXRoLmFjbWUuY29tIiwgInN1YiI6ICIxMjM0NSIsICJpYXQiOiAxNzQ5NzI2NjIxLCAiZXhwIjogMTc0OTczMDIyMSwgIm5iZiI6IDE3NDk3MjY2MjF9.", + InvalidAlgorithmError, + 'The specified alg value is not allowed', + ), # Success with old Frontend API URL in config (2) ( True,