Comments (10)
I'm all for adding a logger.error and logger.critical, but outside of that is changing functionality and design principles. I'm not used to CVE reports and actionables in an open source context, but this is my understanding of general good design and consistent behavior for developers. Let me know if that's not how I should be approaching this and why.
Adding logs can help users to avoid such issues. If possible let's also add more secure examples in docs so it doesn't introduce vulns in their projects.
from djangorestframework-simplejwt.
This is an issue only if used with JWTStatelessUserAuthentication/JWTTokenUserAuthentication
, while JWTAuthentication
class is not affected since it queries the database to check if ther user is active.
The "bad configuration" is:
whenever the
Token.for_user
method is used without prior user validation andJWTStatelessUserAuthentication
orJWTTokenUserAuthentication
(which is an alias of ther previous one) authentication class is used.
from djangorestframework-simplejwt.
Thanks for filing. cc @robd003
This is more of a documentation thing as using .for_user
directly is non-standard, but because of my very own telling to everyone to just use SimpleJWT classes directly, this mistake is attributed to me. Unfortunately, it works by design and is following DRY principles and separation of duties where the validation takes place on the serializer part, which is Django standard, but I'll add some documentation to warn users.
from djangorestframework-simplejwt.
Thanks for filing. cc @robd003
This is more of a documentation thing as using
.for_user
directly is non-standard, but because of my very own telling to everyone to just use SimpleJWT classes directly, this mistake is attributed to me. Unfortunately, it works by design and is following DRY principles and separation of duties where the validation takes place on the serializer part, which is Django standard, but I'll add some documentation to warn users.
I understand but there are several projects using it directly without any kind of user's active status validation which makes those projects vulnerable.
from djangorestframework-simplejwt.
I'm all for adding a logger.error and logger.critical, but outside of that is changing functionality and design principles. I'm not used to CVE reports and actionables in an open source context, but this is my understanding of general good design and consistent behavior for developers. Let me know if that's not how I should be approaching this and why.
from djangorestframework-simplejwt.
@Andrew-Chen-Wang Why don't add an exception raised if using .for_user
directly?
As @dmdhrumilmistry says
there are several projects using it directly without any kind of user's active status validation which makes those projects vulnerable.
and as the vuln doc says:
CVE-2024-22513
so people doesn't have to check this manually:
if user and user.is_active:
Because this line in the vuln makes it important I think:
This feature introduces the ability to use different subclasses of the Token class, such as RefreshToken, SlidingToken, AccessToken, and UntypedToken with for_user method. However, this enhancement also expands the potential attack surface.
And it won't be shown on vuln scanners.
from djangorestframework-simplejwt.
Related Issues (20)
- `self.jwks_client.get_signing_key_from_jwt` raises uncaught `PyJWKClientConnectionError` which gets masked as "Token is invalid or expired"
- Cookie based authentication HOT 1
- Caim "Issued At" not updated after token refresh
- Feature Request: Redis Support for Blacklisted JWTs HOT 1
- Token verification and validation
- Library does not automatically verify that the token hasn't been tampered with HOT 8
- Trouble fetching data using the token HOT 1
- Verify check tell refresh token is ok, anyway that is blacklisted
- Incorrect type hints for several classes/methods HOT 4
- Import "rest_framework_simplejwt.authentication" could not be resolved Pylance (reportMissingImports) HOT 2
- Import Error on Django 5 HOT 1
- ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)) with djangorestframework-jwt HOT 1
- How setup AWS Cognito with djangorestframework-simplejwt HOT 2
- CVE-2024-22513 HOT 1
- Security Issue HOT 3
- `Token` subclass' `for_user` method is typed to return a `Token` HOT 1
- encrypt username instead of user_id HOT 1
- The translation of the message "No active account found with the given credentials" does not work in various locales HOT 1
- TokenRefreshView doesn't register token_blacklist_outstandingtoken HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from djangorestframework-simplejwt.