From d95baac74eeaf35141bf9c82560b45ce3942b099 Mon Sep 17 00:00:00 2001
From: Fabio Manganiello <info@fabiomanganiello.com>
Date: Mon, 21 Nov 2022 13:16:09 +0100
Subject: [PATCH] Add user credentials on the encrypted JWT token.

Adding the credentials ensures that tokens associated to non-existing
users, or users with an invalid password, won't be accepted, even if
they were correctly encrypted using the host's keypair.

This adds an additional layer of security in case the host's keypair
gets compromised.
---
 platypush/user/__init__.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/platypush/user/__init__.py b/platypush/user/__init__.py
index 6568b2cf66..149c8765e9 100644
--- a/platypush/user/__init__.py
+++ b/platypush/user/__init__.py
@@ -198,6 +198,7 @@ class UserManager:
         payload = json.dumps(
             {
                 'username': username,
+                'password': password,
                 'created_at': datetime.datetime.now().timestamp(),
                 'expires_at': expires_at.timestamp() if expires_at else None,
             },
@@ -209,8 +210,7 @@ class UserManager:
             rsa.encrypt(payload.encode('ascii'), pub_key)
         ).decode()
 
-    @staticmethod
-    def validate_jwt_token(token: str) -> Dict[str, str]:
+    def validate_jwt_token(self, token: str) -> Dict[str, str]:
         """
         Validate a JWT token.
 
@@ -243,6 +243,14 @@ class UserManager:
         if expires_at and time.time() > expires_at:
             raise InvalidJWTTokenException('Expired JWT token')
 
+        user = self.authenticate_user(
+            payload.get('username', ''),
+            payload.get('password', '')
+        )
+
+        if not user:
+            raise InvalidCredentialsException()
+
         return payload
 
     def _get_db_session(self):