From d95baac74eeaf35141bf9c82560b45ce3942b099 Mon Sep 17 00:00:00 2001 From: Fabio Manganiello Date: Mon, 21 Nov 2022 13:16:09 +0100 Subject: [PATCH] Add user credentials on the encrypted JWT token. Adding the credentials ensures that tokens associated to non-existing users, or users with an invalid password, won't be accepted, even if they were correctly encrypted using the host's keypair. This adds an additional layer of security in case the host's keypair gets compromised. --- platypush/user/__init__.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/platypush/user/__init__.py b/platypush/user/__init__.py index 6568b2cf66..149c8765e9 100644 --- a/platypush/user/__init__.py +++ b/platypush/user/__init__.py @@ -198,6 +198,7 @@ class UserManager: payload = json.dumps( { 'username': username, + 'password': password, 'created_at': datetime.datetime.now().timestamp(), 'expires_at': expires_at.timestamp() if expires_at else None, }, @@ -209,8 +210,7 @@ class UserManager: rsa.encrypt(payload.encode('ascii'), pub_key) ).decode() - @staticmethod - def validate_jwt_token(token: str) -> Dict[str, str]: + def validate_jwt_token(self, token: str) -> Dict[str, str]: """ Validate a JWT token. @@ -243,6 +243,14 @@ class UserManager: if expires_at and time.time() > expires_at: raise InvalidJWTTokenException('Expired JWT token') + user = self.authenticate_user( + payload.get('username', ''), + payload.get('password', '') + ) + + if not user: + raise InvalidCredentialsException() + return payload def _get_db_session(self):