From 98d7c95aa7bf88a5e80dcfae909ebd088b0010a1 Mon Sep 17 00:00:00 2001 From: Fabio Manganiello Date: Mon, 21 Nov 2022 13:04:48 +0100 Subject: [PATCH 1/2] Removed two unrequired `return` statements --- platypush/backend/http/app/routes/auth.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/platypush/backend/http/app/routes/auth.py b/platypush/backend/http/app/routes/auth.py index b59561d06..cfdc30e7e 100644 --- a/platypush/backend/http/app/routes/auth.py +++ b/platypush/backend/http/app/routes/auth.py @@ -50,7 +50,6 @@ def auth_endpoint(): except Exception as e: log.warning('Invalid payload passed to the auth endpoint: ' + str(e)) abort(400) - return jsonify({'token': None}) expiry_days = payload.get('expiry_days') expires_at = None @@ -65,4 +64,3 @@ def auth_endpoint(): }) except UserException as e: abort(401, str(e)) - return jsonify({'token': None}) From d95baac74eeaf35141bf9c82560b45ce3942b099 Mon Sep 17 00:00:00 2001 From: Fabio Manganiello Date: Mon, 21 Nov 2022 13:16:09 +0100 Subject: [PATCH 2/2] Add user credentials on the encrypted JWT token. Adding the credentials ensures that tokens associated to non-existing users, or users with an invalid password, won't be accepted, even if they were correctly encrypted using the host's keypair. This adds an additional layer of security in case the host's keypair gets compromised. --- platypush/user/__init__.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/platypush/user/__init__.py b/platypush/user/__init__.py index 6568b2cf6..149c8765e 100644 --- a/platypush/user/__init__.py +++ b/platypush/user/__init__.py @@ -198,6 +198,7 @@ class UserManager: payload = json.dumps( { 'username': username, + 'password': password, 'created_at': datetime.datetime.now().timestamp(), 'expires_at': expires_at.timestamp() if expires_at else None, }, @@ -209,8 +210,7 @@ class UserManager: rsa.encrypt(payload.encode('ascii'), pub_key) ).decode() - @staticmethod - def validate_jwt_token(token: str) -> Dict[str, str]: + def validate_jwt_token(self, token: str) -> Dict[str, str]: """ Validate a JWT token. @@ -243,6 +243,14 @@ class UserManager: if expires_at and time.time() > expires_at: raise InvalidJWTTokenException('Expired JWT token') + user = self.authenticate_user( + payload.get('username', ''), + payload.get('password', '') + ) + + if not user: + raise InvalidCredentialsException() + return payload def _get_db_session(self):