Check issuer

notesapi/v1/permissions.py

@@ -5,6 +5,9 @@
 
 logger = logging.getLogger(__name__)
 
+class TokenWrongIssuer(Exception):
+    pass
+
 class HasAccessToken(BasePermission):
     """
     Allow requests having valid ID Token.
@@ -19,6 +22,8 @@ def has_permission(self, request, view):
         try:
             data = jwt.decode(token, settings.CLIENT_SECRET)
             auth_user = data['sub']
+            if data['aud'] != settings.CLIENT_ID:
+                raise TokenWrongIssuer
             for request_field in ('GET', 'POST', 'DATA'):
                 if 'user' in getattr(request, request_field):
                     req_user = getattr(request, request_field)['user']
@@ -30,9 +35,12 @@ def has_permission(self, request, view):
                         ))
                         return False
             logger.info("No user was present to compare in GET, POST or DATA")
-            # but user still has valid token, so let them pass
+            # but user still has valid token, and request is not user-specific so let them pass?
+            # have to make sure they will not be able to grab ALL data with that...
             return True
         except jwt.ExpiredSignature:
             logger.exception("Token was expired: {}".format(token))
         except jwt.DecodeError:
             logger.exception("Could not decode token {}".format(token))
+        except TokenWrongIssuer:
+            logger.exception("Token has wrong issuer {}".format(token))

notesapi/v1/tests/helpers.py

@@ -29,6 +29,7 @@ def mock_authorizer(*args, **kwargs):
 def get_id_token(user):
     now = datetime.utcnow()
     return jwt.encode({
+        'aud': settings.CLIENT_ID,
         'sub': user,
         'iat': timegm(now.utctimetuple()),
         'exp': timegm((now + timedelta(seconds=30)).utctimetuple()),