-
Notifications
You must be signed in to change notification settings - Fork 688
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Improvemet #774
Comments
Hello Miguel, This is not an issue. The verification here is not needed: this is just checking the headers to check that the operation is valid to discard before decoding if it isn't. If the header is valid, it is always decoded and thus verified before processing. The logic is clear: headers = jwt_lib.get_unverified_header(jwt)
alg = headers.get("alg")
if alg != cls.ALGORITHM:
raise ValueError(
f"Incorrect decoding algorithm {alg}, "
f"expecting {cls.ALGORITHM}."
)
payload = jwt_lib.decode(
...
) |
Is this still an issue? |
Closing as no response was received in last 30 days |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue Summary
There is an easy way to improve the security when using the jwt token, in the jwt class the token is not being verify which is common a bad practice in working with this kind of tokens.
Code Snippet
the problems appears here in the jwt class:
@classmethod
is in the last line where the token signature is not being verified, The verification can be easily added by using this function to decode the token:
import jwt
jwt.decode(token, key, algorithms="HS256")
I hope it helps improve the code,
pd: I am not doing the commit about because I propose this as a part of College Project and I do not have enough time to test it...
The text was updated successfully, but these errors were encountered: