Merge pull request #17 from corbado/16-optimize-jwt-unit-tests

Optimize JWT Unit tests

Author: snacker81

src/corbado_python_sdk/services/implementation/session_service.py

@@ -2,6 +2,7 @@
 from jwt import (
     ExpiredSignatureError,
     ImmatureSignatureError,
+    InvalidAlgorithmError,
     InvalidSignatureError,
     decode,
 )
@@ -16,6 +17,7 @@
 )
 
 DEFAULT_SESSION_TOKEN_LENGTH = 300
+ALLOWED_ALGS = {"RS256"}
 
 
 class SessionService(BaseModel):
@@ -90,7 +92,7 @@ def validate_token(self, session_token: StrictStr) -> UserEntity:
 
         # decode short session (jwt) with signing key
         try:
-            payload = decode(jwt=session_token, key=signing_key.key, algorithms=["RS256"])
+            payload = decode(jwt=session_token, key=signing_key.key, algorithms=list(ALLOWED_ALGS))
 
             # extract information from decoded payload
             token_issuer: str = payload.get("iss")
@@ -104,15 +106,21 @@ def validate_token(self, session_token: StrictStr) -> UserEntity:
             )
         except ExpiredSignatureError as error:
             raise TokenValidationException(
-                error_type=ValidationErrorType.CODE_JWT_INVALID_SIGNATURE,
-                message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_INVALID_SIGNATURE.value}",
+                error_type=ValidationErrorType.CODE_JWT_EXPIRED,
+                message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_EXPIRED.value}",
                 original_exception=error,
             )
 
         except InvalidSignatureError as error:
             raise TokenValidationException(
-                error_type=ValidationErrorType.CODE_JWT_EXPIRED,
-                message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_EXPIRED.value}",
+                error_type=ValidationErrorType.CODE_JWT_INVALID_SIGNATURE,
+                message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_INVALID_SIGNATURE.value}",
+                original_exception=error,
+            )
+        except InvalidAlgorithmError as error:
+            raise TokenValidationException(
+                error_type=ValidationErrorType.CODE_JWT_INVALID_SIGNATURE,
+                message="Algorithm not allowed",
                 original_exception=error,
             )
 

tests/unit/test_session_service.py

@@ -8,6 +8,7 @@
     DecodeError,
     ExpiredSignatureError,
     ImmatureSignatureError,
+    InvalidAlgorithmError,
     InvalidSignatureError,
     PyJWKClientError,
     encode,
@@ -126,8 +127,10 @@ def _provide_jwts(self):
             # JWT signed with wrong algorithm (HS256 instead of RS256)
             (
                 False,
-                """eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6
-                IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.dyt0CoTl4WoVjAHI9Q_CwSKhl6d_9rhM3NrXuJttkao""",
+                (
+                    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6"
+                    "IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.dyt0CoTl4WoVjAHI9Q_CwSKhl6d_9rhM3NrXuJttkao"
+                ),
                 PyJWKClientError,
                 'Unable to find a signing key that matches: "None"',
             ),
@@ -179,6 +182,14 @@ def _provide_jwts(self):
                 None,
                 None,
             ),
+            # Disallowed algorithm "none"
+            (
+                False,
+                "eyJhbGciOiAibm9uZSIsICJ0eXAiOiAiSldUIiwgImtpZCI6ICJraWQxMjMifQ.eyJpc3MiOiAiaHR0cHM6"
+                "Ly9hdXRoLmFjbWUuY29tIiwgInN1YiI6ICIxMjM0NSIsICJpYXQiOiAxNzQ5NzI2NjIxLCAiZXhwIjogMTc0OTczMDIyMSwgIm5iZiI6IDE3NDk3MjY2MjF9.",
+                InvalidAlgorithmError,
+                'The specified alg value is not allowed',
+            ),
             # Success with old Frontend API URL in config (2)
             (
                 True,