Merge pull request #146 from ahopkins/dev

Version 1.2.1 - 2018-12-04
ahopkins · Dec 4, 2018 · 0b56cd6 · 0b56cd6
2 parents eb4b55d + 73799af
commit 0b56cd6
Show file tree

Hide file tree

Showing 10 changed files with 63 additions and 7 deletions.
diff --git a/docs/source/conf.py b/docs/source/conf.py
@@ -56,7 +56,7 @@
 # The short X.Y version.
 version = u"1.2"
 # The full version, including alpha/beta/rc tags.
-release = u"1.2.0"
+release = u"1.2.1"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

diff --git a/docs/source/pages/changelog.rst b/docs/source/pages/changelog.rst
@@ -4,6 +4,14 @@ Changelog
 
 The format is based on `Keep a Changelog <http://keepachangelog.com/en/1.0.0/>`_ and this project adheres to `Semantic Versioning <http://semver.org/spec/v2.0.0.html>`_.
 
+++++++++++++++++++++++++++
+Version 1.2.1 - 2018-12-04
+++++++++++++++++++++++++++
+
+| **Fixed**
+| - `#143 <https://github.com/ahopkins/sanic-jwt/issues/143>`_. Security bug resolved on empty tokens
+|
+
 ++++++++++++++++++++++++++
 Version 1.2.0 - 2018-08-06
 ++++++++++++++++++++++++++

diff --git a/sanic_jwt/__init__.py b/sanic_jwt/__init__.py
@@ -1,4 +1,4 @@
-__version__ = "1.2.0"
+__version__ = "1.2.1"
 __author__ = "Adam Hopkins"
 __credits__ = "Richard Kuesters"
 

diff --git a/sanic_jwt/authentication.py b/sanic_jwt/authentication.py
@@ -289,7 +289,7 @@ def _get_token(self, request, refresh_token=False):
         """
         if self.config.cookie_set():
             token = self._get_token_from_cookies(request, refresh_token)
-            if token is not None:
+            if token:
                 return token
 
             else:
@@ -298,15 +298,16 @@ def _get_token(self, request, refresh_token=False):
 
         if self.config.query_string_set():
             token = self._get_token_from_query_string(request, refresh_token)
-            if token is not None:
+            if token:
                 return token
 
             else:
                 if self.config.query_string_strict():
                     raise exceptions.MissingAuthorizationQueryArg()
 
         token = self._get_token_from_headers(request, refresh_token)
-        if token is not None:
+
+        if token:
             return token
 
         raise exceptions.MissingAuthorizationHeader()

diff --git a/setup.py b/setup.py
@@ -18,7 +18,7 @@
 
 setup(
     name="sanic-jwt",
-    version="1.2.0",
+    version="1.2.1",
     description="JWT oauth flow for Sanic",
     url="https://github.com/ahopkins/sanic-jwt",
     download_url="https://github.com/ahopkins/sanic-jwt/archive/master.zip",

diff --git a/tests/test_endpoints_basic.py b/tests/test_endpoints_basic.py
@@ -72,6 +72,26 @@ def test_auth_verify_missing_token_debug(app):
     assert "Authorization header not present." in response.json.get("reasons")
 
 
+def test_auth_verify_invalid_token(app):
+    sanic_app, _ = app
+    _, response = sanic_app.test_client.get(
+        "/auth/verify", headers={"Authorization": "Bearer "}
+    )
+    assert response.status == 400
+    assert response.json.get("exception") == "InvalidAuthorizationHeader"
+    assert "Authorization header is invalid." in response.json.get("reasons")
+
+
+def test_auth_verify_invalid_token(app):
+    sanic_app, _ = app
+    _, response = sanic_app.test_client.get(
+        "/auth/verify", headers={"Authorization": "Bearer "}
+    )
+    assert response.status == 401
+    assert response.json.get("exception") == "MissingAuthorizationHeader"
+    assert "Authorization header not present." in response.json.get("reasons")
+
+
 def test_auth_refresh_not_found(app):
     sanic_app, _ = app
     _, response = sanic_app.test_client.post("/auth/refresh")

diff --git a/tests/test_endpoints_cookies.py b/tests/test_endpoints_cookies.py
@@ -365,3 +365,16 @@ def test_refresh_token_with_cookies_not_strict(
             sanicjwt.config.cookie_refresh_token_name(), None
         ) is None  # there is no new refresh token
         assert sanicjwt.config.cookie_refresh_token_name() not in response.json
+
+    def test_auth_verify_invalid_token(self, app_with_refresh_token):
+        sanic_app, sanicjwt = app_with_refresh_token
+
+        _, response = sanic_app.test_client.get(
+            "/auth/verify",
+            cookies={sanicjwt.config.cookie_access_token_name(): ""},
+        )
+        assert response.status == 401
+        assert response.json.get("exception") == "MissingAuthorizationCookie"
+        assert "Authorization cookie not present." in response.json.get(
+            "reasons"
+        )
diff --git a/tests/test_endpoints_query_string.py b/tests/test_endpoints_query_string.py
@@ -334,3 +334,17 @@ def test_refresh_token_with_query_string_not_strict(
             sanicjwt.config.query_string_refresh_token_name(), None
         ) is None  # there is no new refresh token
         assert sanicjwt.config.query_string_refresh_token_name() not in response.json
+
+    def test_auth_verify_invalid_token(self, app_with_refresh_token):
+        sanic_app, sanicjwt = app_with_refresh_token
+
+        _, response = sanic_app.test_client.get(
+            "/auth/verify?{}=".format(
+                sanicjwt.config.cookie_access_token_name()
+            )
+        )
+        assert response.status == 401
+        assert response.json.get("exception") == "MissingAuthorizationQueryArg"
+        assert "Authorization query argument not present." in response.json.get(
+            "reasons"
+        )
diff --git a/tests/test_static.py b/tests/test_static.py
diff --git a/tox.ini b/tox.ini
@@ -59,7 +59,7 @@ commands =
 deps = coverage
 skip_install = true
 commands =
-    ; coverage combine --append
+    coverage combine --append
     coverage report
     coverage html