Skip to content

Commit

Permalink
Fix OIDC plugin crashing when given a JWT without an exp claim (#11814)
Browse files Browse the repository at this point in the history
  • Loading branch information
patrys committed Jan 26, 2023
1 parent 8abb78b commit 3658d62
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 1 deletion.
3 changes: 3 additions & 0 deletions saleor/plugins/openid_connect/tests/test_plugin.py
Original file line number Diff line number Diff line change
Expand Up @@ -911,6 +911,7 @@ def test_authenticate_user_with_jwt_access_token(
decoded_access_token["scope"] = ""
decoded_token = MagicMock()
decoded_token.__getitem__.side_effect = decoded_access_token.__getitem__
decoded_token.get.side_effect = decoded_access_token.get

# mock get token from request
monkeypatch.setattr(
Expand Down Expand Up @@ -1151,6 +1152,7 @@ def test_authenticate_user_with_jwt_access_token_unable_to_fetch_user_info(

decoded_token = MagicMock()
decoded_token.__getitem__.side_effect = decoded_access_token.__getitem__
decoded_token.get.side_effect = decoded_access_token.get

# mock get token from request
monkeypatch.setattr(
Expand Down Expand Up @@ -1193,6 +1195,7 @@ def test_authenticate_user_with_jwt_invalid_access_token(

decoded_token = MagicMock()
decoded_token.__getitem__.side_effect = decoded_access_token.__getitem__
decoded_token.get.side_effect = decoded_access_token.get
decoded_token.validate.side_effect = JoseError()

# mock get token from request
Expand Down
26 changes: 26 additions & 0 deletions saleor/plugins/openid_connect/tests/test_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import pytest
import pytz
import requests
from authlib.jose import JWTClaims
from django.core.exceptions import ValidationError
from django.utils.timezone import make_aware
from freezegun import freeze_time
Expand All @@ -32,6 +33,7 @@
get_or_create_user_from_payload,
get_saleor_permission_names,
get_saleor_permissions_qs_from_scope,
get_user_from_oauth_access_token_in_jwt_format,
get_user_from_token,
get_user_info,
validate_refresh_token,
Expand Down Expand Up @@ -331,3 +333,27 @@ def test_get_or_create_user_from_payload_with_last_login(customer_user, settings
)
assert user_from_payload.email == customer_user.email
assert user_from_payload.private_metadata[f"oidc-{oauth_url}"] == sub_id


def test_jwt_token_without_expiration_claim(monkeypatch, decoded_access_token):
monkeypatch.setattr(
"saleor.plugins.openid_connect.utils.get_user_info_from_cache_or_fetch",
lambda *args, **kwargs: {
"email": "test@example.org",
"sub": token_payload["sub"],
"scope": token_payload["scope"],
},
)
decoded_access_token.pop("exp")
token_payload = JWTClaims(
decoded_access_token,
{},
)
user = get_user_from_oauth_access_token_in_jwt_format(
token_payload,
"https://example.com",
access_token="fake-token",
use_scope_permissions=False,
audience="",
)
assert user.email == "test@example.org"
2 changes: 1 addition & 1 deletion saleor/plugins/openid_connect/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ def get_user_from_oauth_access_token_in_jwt_format(
user_info = get_user_info_from_cache_or_fetch(
user_info_url,
access_token,
token_payload["exp"],
token_payload.get("exp"),
)
if not user_info:
logger.info(
Expand Down

0 comments on commit 3658d62

Please sign in to comment.