Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Catch errors when failing to verify JWTs #5153

Merged
merged 4 commits into from
Mar 7, 2025
Merged

fix: Catch errors when failing to verify JWTs #5153

merged 4 commits into from
Mar 7, 2025
+105 −9

Conversation

rolodato
Copy link
Member

Fixes #4982.

The issue as described is incorrect, as the SAML routes already use AllowAny. The problem is actually caused by get_validated_token returning an exception when called with an invalid JWT. We now catch any of these expected errors and gracefully fail the authentication instead.

This is completely untested.

@rolodato rolodato requested a review from a team as a code owner February 21, 2025 23:25
@rolodato rolodato requested review from gagantrivedi and removed request for a team February 21, 2025 23:25
@vercel Vercel
Copy link

vercel bot commented Feb 21, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

3 Skipped Deployments
Name Status Preview Comments Updated (UTC)
docs ⬜️ Ignored (Inspect) Visit Preview Mar 7, 2025 2:47pm
flagsmith-frontend-preview ⬜️ Ignored (Inspect) Visit Preview Mar 7, 2025 2:47pm
flagsmith-frontend-staging ⬜️ Ignored (Inspect) Visit Preview Mar 7, 2025 2:47pm

@github-actions github-actions bot added api Issue related to the REST API fix labels Feb 21, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 21, 2025
edited
Loading

Docker builds report

Image Build Status Security report
ghcr.io/flagsmith/flagsmith-api-test:pr-5153 Finished ✅ Skipped
ghcr.io/flagsmith/flagsmith-e2e:pr-5153 Finished ✅ Skipped
ghcr.io/flagsmith/flagsmith-api:pr-5153 Finished ✅ Results
ghcr.io/flagsmith/flagsmith-frontend:pr-5153 Finished ✅ Results
ghcr.io/flagsmith/flagsmith:pr-5153 Finished ✅ Results
ghcr.io/flagsmith/flagsmith-private-cloud:pr-5153 Finished ✅ Results

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 21, 2025
edited
Loading

Uffizzi Preview deployment-61216 was deleted.

@codecov Codecov
Copy link

codecov bot commented Feb 21, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 95.55556% with 2 lines in your changes missing coverage. Please review.

Project coverage is 97.50%. Comparing base (9a58249) to head (b586ca2).
Report is 29 commits behind head on main.

Files with missing lines Patch % Lines
api/api_keys/models.py 0.00% 1 Missing ⚠️
api/organisations/urls.py 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5153      +/-   ##
==========================================
+ Coverage   97.47%   97.50%   +0.02%     
==========================================
  Files        1224     1224              
  Lines       42590    42623      +33     
==========================================
+ Hits        41515    41558      +43     
+ Misses       1075     1065      -10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@khvn26
Copy link
Member

khvn26 commented Feb 24, 2025

I am surprised that the new code path is covered by tests and no existing tests are modified, which suggests the backend behaviour is not changed by this PR?

@rolodato
Copy link
Member Author

rolodato commented Mar 7, 2025

@khvn26 I don't see any tests for this code, but in any case you can test this by trying to fetch a non-existent SAML configuration. Even if you are using an invalid JWT cookie, this should return 404 when using this fix:

curl -i -X POST http://localhost:8000/api/v1/auth/saml/foo/request/ -d{} --cookie jwt='badtoken'

HTTP/1.1 404 Not Found
Date: Fri, 07 Mar 2025 02:28:52 GMT
Server: WSGIServer/0.2 CPython/3.12.2
Content-Type: application/json
Vary: Accept, Origin
Allow: POST, OPTIONS
Expires: Fri, 07 Mar 2025 02:28:52 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
Pragma: no-cache
X-Frame-Options: DENY
Content-Length: 58
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

{"detail":"No SamlConfiguration matches the given query."}⏎

Before this change, the request fails and prevents users with expired or invalid tokens from logging in via SAML:

HTTP/1.1 401 Unauthorized
Date: Fri, 07 Mar 2025 02:28:23 GMT
Server: WSGIServer/0.2 CPython/3.12.2
Content-Type: application/json
WWW-Authenticate: Cookie realm="api"
Vary: Accept, Origin
Allow: POST, OPTIONS
Expires: Fri, 07 Mar 2025 02:28:23 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
Pragma: no-cache
X-Frame-Options: DENY
Content-Length: 185
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

{"detail":"Given token not valid for any token type","code":"token_not_valid","messages":[{"token_class":"SlidingToken","token_type":"sliding","message":"Token is invalid or expired"}]}⏎

@github-actions github-actions bot added fix and removed fix labels Mar 7, 2025
@rolodato rolodato force-pushed the fix/catch-jwt-errors branch from 5b357b4 to c7525cb Compare March 7, 2025 14:06
@github-actions github-actions bot added fix and removed fix labels Mar 7, 2025
@khvn26 khvn26 force-pushed the fix/catch-jwt-errors branch from b892781 to 2d9271f Compare March 7, 2025 14:30
@github-actions github-actions bot added fix and removed fix labels Mar 7, 2025
@github-actions github-actions bot added fix and removed fix labels Mar 7, 2025
@github-actions github-actions bot added fix and removed fix labels Mar 7, 2025
@rolodato rolodato merged commit 0fed1d6 into main Mar 7, 2025
33 checks passed
@rolodato rolodato deleted the fix/catch-jwt-errors branch March 7, 2025 14:49
@flagsmithdev flagsmithdev mentioned this pull request Mar 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@khvn26 khvn26 khvn26 approved these changes

@gagantrivedi gagantrivedi Awaiting requested review from gagantrivedi gagantrivedi is a code owner automatically assigned from Flagsmith/flagsmith-back-end

Assignees
No one assigned
Labels
api Issue related to the REST API fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Do not check cookie authentication for /auth/saml/{configuration}/request/
2 participants
@rolodato @khvn26