def test_decode_id_token(monkeypatch, bearer_auth):
"""Test that id_token-decoding logic works"""
error_msg = "test error text"
monkeypatch.setattr(
"jose.jwt.decode", make_raiser(jwt.ExpiredSignatureError(error_msg))
)
with pytest.raises(Unauthorized, match=error_msg) as e:
bearer_auth.decode_id_token(TOKEN, PUBLIC_KEY)
monkeypatch.setattr("jose.jwt.decode", make_raiser(jwt.JWTClaimsError(error_msg)))
with pytest.raises(Unauthorized, match=error_msg):
bearer_auth.decode_id_token(TOKEN, PUBLIC_KEY)
monkeypatch.setattr("jose.jwt.decode", make_raiser(jwt.JWTError(error_msg)))
with pytest.raises(Unauthorized, match=error_msg):
bearer_auth.decode_id_token(TOKEN, PUBLIC_KEY)
def no_email(*args, **kwargs):
return {}
monkeypatch.setattr("jose.jwt.decode", no_email)
with pytest.raises(Unauthorized):
bearer_auth.decode_id_token(TOKEN, PUBLIC_KEY)
def correct_email(*args, **kwargs):
return PAYLOAD
monkeypatch.setattr("jose.jwt.decode", correct_email)
assert bearer_auth.decode_id_token(TOKEN, PUBLIC_KEY) == PAYLOAD
def decorated(*args, **kwargs):
token = get_bearer_token()
if not token:
return jsonify({'message': 'Token is missing!'}), 401
try:
data = jwt.decode(token, current_app.config['SECRET_KEY'])
current_user = User.objects(public_id=data['public_id']).first()
if current_user is None:
raise jwt.JWTError()
except jwt.JWTError as e:
return jsonify({
'message': 'Token is invalid!',
'error': str(e)
}), 401
return f(current_user, *args, **kwargs)
def process_response(self, response, *args, **kwargs):
jwttoken = request.cookies.get('jwt', None)
if jwttoken is not None:
try:
public_key = get_jwt_public_key()
jwt_decoded = jwt.get_unverified_claims(
jwttoken) if public_key is '' else jwt.decode(
jwttoken, public_key)
iat = jwt_decoded['iat']
exp = jwt_decoded['exp']
now = time.time()
if iat + 1200 < now <= exp:
email = jwt_decoded.get('email', None)
resp = requests.post(
settings.REMOTE_JWT_REFRESH_PROVIDER,
headers={
'Authorization': 'Bearer ' + jwttoken
},
data={'email': email})
if resp.status_code < 300 and resp.data.get(
'jwt', None) is not None:
response.set_cookie('jwt',
resp.data['jwt'],
secure=True,
httponly=True)
elif resp.status_code == 401:
raise jwt.JWTError(
'The authentication refresh service has denied a refresh, a login is likely in order.'
)
elif now > exp:
raise jwt.JWTClaimsError(
'The asserted expiration claim has passed.')
except (jwt.ExpiredSignatureError, jwt.JWTClaimsError,
jwt.JWTError) as e:
return redirect(
settings.REMOTE_JWT_EXPIRED_ENDPOINT +
urllib.quote_plus(request.referrer
or settings.ROOT_UI_URL))
return super(JwtFlask,
self).process_response(response, *args, **kwargs)
def decode_token(self, token):
url = f'https://{self.domain}/.well-known/jwks.json'
resp = requests.get(url)
jwks = resp.json()
try:
unverified_header = jwt.get_unverified_header(token)
if unverified_header['alg'] == 'HS256':
raise jwt.JWTError()
except jwt.JWTError:
return custom_response(401,
'Use an RS256 signed JWT Access Token.')
rsa_key = {}
for key in jwks['keys']:
if key['kid'] == unverified_header['kid']:
rsa_key = {
'kty': key['kty'],
'kid': key['kid'],
'use': key['use'],
'n': key['n'],
'e': key['e']
}
try:
payload = jwt.decode(token,
rsa_key,
algorithms=algorithms,
audience=client_id,
issuer=f'https://{self.domain}/')
except jwt.ExpiredSignatureError:
return custom_response(401, 'Token expired.')
except jwt.JWTClaimsError:
return custom_response(401, 'Invalid Claims')
else:
return payload
def decorated(*args, **kwargs):
token = get_token_auth_header()
jsonurl = urlopen('https://' + AUTH0_DOMAIN + '/.well-known/jwks.json')
jwks = json.loads(jsonurl.read())
try:
unverified_header = jwt.get_unverified_header(token)
if unverified_header['alg'] == 'HS256':
raise jwt.JWTError()
except jwt.JWTError:
raise AuthError(
{
'code':
'invalid_header',
'description':
'Invalid header. Use an RS256 signed JWT Access Token'
}, 401)
rsa_key = {}
for key in jwks['keys']:
if key['kid'] == unverified_header['kid']:
rsa_key = {
'kty': key['kty'],
'kid': key['kid'],
'use': key['use'],
'n': key['n'],
'e': key['e']
}
if rsa_key:
try:
payload = jwt.decode(token,
rsa_key,
algorithms=ALGORITHMS,
audience=AUTH0_AUDIENCE,
issuer='https://' + AUTH0_DOMAIN + '/')
except jwt.ExpiredSignatureError:
raise AuthError(
{
'code': 'token_expired',
'description': 'token is expired'
}, 401)
except jwt.JWTClaimsError:
raise AuthError(
{
'code':
'invalid_claims',
'description': ('incorrect claims, please check the '
'audience and issuer')
}, 401)
except Exception:
raise AuthError(
{
'code': 'invalid_header',
'description': 'Unable to parse authentication token.'
}, 401)
_request_ctx_stack.top.current_user = payload
return f(*args, **kwargs)
raise AuthError(
{
'code': 'invalid_header',
'description': 'UNable to find appropriate key'
}, 401)
def get_unverified_header_error(token):
raise jwt.JWTError(error_str)