-
Notifications
You must be signed in to change notification settings - Fork 670
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Library does not automatically verify that the token hasn't been tampered with #784
Comments
@Andrew-Chen-Wang @aqeelat Can we get a response to this? Seems like a glaring security issue. GHSA-5vcc-86wm-547q |
well shit |
@robd003 thanks for pinging me. let's start the the filed CVE in your comment (which I'll repost in the dup issue): re: GHSA-5vcc-86wm-547q there's another issue that'll track that: #779 re: this issue, thanks for filing @Ichicoro This is surprising. I'm not entirely sure what the difference is between your Authentication class and the current one? The current one runs:
I have two questions:
|
Sorry if I am stepping in yet @Andrew-Chen-Wang analysis seems to be spot on. For others to follow:
There is no try catch block in between that would catch / hide one of the errors... There are of course options why its not workign for @Ichicoro, for example if he overwrote e.g. AUTH_TOKEN_CLASSES and is not calling there the @Ichicoro could you elaborate on that. Andrew won't be able to fix things if he cannot reproduce things. |
I was having a look into this, and i noticed the |
@stephendwolff dj_rest_auth is designed for SPAs like standalone React. I'll keep this open for a bit to allow OP to follow up with more code configuration, but I'll have to mark this as invalid as it doesn't seem possible. I definitely think simplejwt blacklist could have an effect as there are a ton of variables (in production, not locally) that have unknown side effects, but this wasn't noted. |
@Andrew-Chen-Wang ah ok - thanks for the explanation. I was trying to work out if it was applicable for an API i'm working on for an app (Flutter i think) - i think probably not. |
Closing this with no response from OP and improbability of this happening with OOTB SimpleJWT. Feel free to re-open with follow-up details. |
I have to report a (quite big) issue/vulnerability, assuming it's not misconfiguration on our end 😅
It seems that the library doesn't do verification of the JWT's signature. I tampered with one token's payload and used it as my Bearer token (without correctly regenerating the signature, I just left it the same as it was before) and the library validated my forged token. I even tried having different SIGNING_KEY and VERIFYING_KEY and the Django application worked flawlessly, so there definitely is no verification of the validity of the token.
I fixed this by overriding our authentication class with a custom-made one that inherits
JWTCookieAuthentication
The text was updated successfully, but these errors were encountered: