yetangitu/funkwhale
1
0
Fork 0
mirror of https://code.eliotberriot.com/funkwhale/funkwhale.git synced 2025-10-05 05:49:24 +02:00
Code Issues Releases Wiki Activity

Increase the security of JWT token generation by using DJANGO_SECRET_KEY as well as user-specific salt for the signature

Browse source
This commit is contained in:
Eliot Berriot 2019-07-13 15:51:34 +02:00
parent 426f6f0d45
commit d39cfab283
No known key found for this signature in database
GPG key ID: DD6965E2476E5C27
4 changed files with 29 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

19
api/tests/users/test_jwt.py
View file

@ -22,3 +22,22 @@ def test_can_invalidate_token_when_changing_user_secret_key(factories):
# token should be invalid
with pytest.raises(DecodeError):
api_settings.JWT_DECODE_HANDLER(payload)
def test_can_invalidate_token_when_changing_settings_secret_key(factories, settings):
settings.SECRET_KEY = "test1"
user = factories["users.User"]()
jwt_payload_handler = api_settings.JWT_PAYLOAD_HANDLER
jwt_encode_handler = api_settings.JWT_ENCODE_HANDLER
payload = jwt_payload_handler(user)
payload = jwt_encode_handler(payload)
# this should work
api_settings.JWT_DECODE_HANDLER(payload)
# now we update the secret key
settings.SECRET_KEY = "test2"
# token should be invalid
with pytest.raises(DecodeError):
api_settings.JWT_DECODE_HANDLER(payload)