Add algorithms for FileBrowser JWT verification

2022-07-22 00:13:37 +03:00
parent cb3b831f7a
commit 4d159b2793
1 changed files with 3 additions and 1 deletions
@@ -341,7 +341,9 @@ def nginx_jwt_resp(request, *args, **kwargs):
    if not cookie:
        return HttpResponse("", status=401)
    try:
-        token = decode(cookie, settings.SECRET_KEY)
+        # This also verifies the signature.
+        # See https://pyjwt.readthedocs.io/en/latest/usage.html#reading-the-claimset-without-validation
+        token = decode(cookie, settings.SECRET_KEY, algorithms=["HS256"])
    except InvalidSignatureError:
        return HttpResponse("", status=403)
    user = "admin" if token.get("username", "") == "admin" else "moderator"