brut/bincio-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: decode_session must validate RS256 tokens (not just HS256)

Browse Source
This commit is contained in:
Davide Scaini
2026-06-03 15:53:10 +02:00
parent c1c1e7ae4e
commit 5b6146792e
1 changed files with 22 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bincio/auth/deps.py
+22 -5
View File
@@ -111,11 +111,28 @@ def _check_rate_limit(
# ── Auth dependency functions ───────────────────────────────────────────────── # ── Auth dependency functions ─────────────────────────────────────────────────
def _decode_session(token: str) -> User | None: def _decode_session(token: str) -> User | None:
"""Decode JWT and return the live User, or None if invalid/suspended.""" """Decode JWT (RS256 or HS256) and return the live User, or None if invalid/suspended."""
try: payload = None
payload = decode_token(token, jwt_secret)
except _jwt.PyJWTError: if oidc_private_key_pem:
return None try:
from cryptography.hazmat.primitives.serialization import load_pem_private_key
priv = load_pem_private_key(oidc_private_key_pem.encode(), password=None)
payload = _jwt.decode(
token,
priv.public_key(),
algorithms=["RS256"],
options={"verify_aud": False},
)
except Exception:
pass
if payload is None:
try:
payload = decode_token(token, jwt_secret)
except _jwt.PyJWTError:
return None
handle = payload.get("sub") handle = payload.get("sub")
if not handle: if not handle:
return None return None