Skip to content

Security Improvemet  #774

Description

@miguelmirceballos

Issue Summary

There is an easy way to improve the security when using the jwt token, in the jwt class the token is not being verify which is common a bad practice in working with this kind of tokens.

Code Snippet

the problems appears here in the jwt class:
@classmethod

def from_jwt(cls, jwt, key=""):

    """

    Decode a JWT string into a Jwt object

    :param str jwt: JWT string

    :param Optional[str] key: key used to verify JWT signature, if not provided then validation

                              is skipped.

    :raises JwtDecodeError if decoding JWT fails for any reason.

    :return: A DecodedJwt object containing the jwt information.

    """

    verify = True if key else False

    try:

        headers = jwt_lib.get_unverified_header(jwt)

is in the last line where the token signature is not being verified, The verification can be easily added by using this function to decode the token:

import jwt

jwt.decode(token, key, algorithms="HS256")

I hope it helps improve the code,
pd: I am not doing the commit about because I propose this as a part of College Project and I do not have enough time to test it...

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions