diff --git a/notesapi/v1/permissions.py b/notesapi/v1/permissions.py index 42fd15d3..7bd1a969 100644 --- a/notesapi/v1/permissions.py +++ b/notesapi/v1/permissions.py @@ -5,6 +5,9 @@ logger = logging.getLogger(__name__) +class TokenWrongIssuer(Exception): + pass + class HasAccessToken(BasePermission): """ Allow requests having valid ID Token. @@ -19,6 +22,8 @@ def has_permission(self, request, view): try: data = jwt.decode(token, settings.CLIENT_SECRET) auth_user = data['sub'] + if data['aud'] != settings.CLIENT_ID: + raise TokenWrongIssuer for request_field in ('GET', 'POST', 'DATA'): if 'user' in getattr(request, request_field): req_user = getattr(request, request_field)['user'] @@ -30,9 +35,12 @@ def has_permission(self, request, view): )) return False logger.info("No user was present to compare in GET, POST or DATA") - # but user still has valid token, so let them pass + # but user still has valid token, and request is not user-specific so let them pass? + # have to make sure they will not be able to grab ALL data with that... return True except jwt.ExpiredSignature: logger.exception("Token was expired: {}".format(token)) except jwt.DecodeError: logger.exception("Could not decode token {}".format(token)) + except TokenWrongIssuer: + logger.exception("Token has wrong issuer {}".format(token)) diff --git a/notesapi/v1/tests/helpers.py b/notesapi/v1/tests/helpers.py index 234e49c1..3f5be322 100644 --- a/notesapi/v1/tests/helpers.py +++ b/notesapi/v1/tests/helpers.py @@ -29,6 +29,7 @@ def mock_authorizer(*args, **kwargs): def get_id_token(user): now = datetime.utcnow() return jwt.encode({ + 'aud': settings.CLIENT_ID, 'sub': user, 'iat': timegm(now.utctimetuple()), 'exp': timegm((now + timedelta(seconds=30)).utctimetuple()),