fix: decode_session must validate RS256 tokens (not just HS256)

2026-06-03 15:53:10 +02:00
parent c1c1e7ae4e
commit 5b6146792e
1 changed files with 22 additions and 5 deletions
@@ -111,11 +111,28 @@ def _check_rate_limit(
 # ── Auth dependency functions ─────────────────────────────────────────────────

 def _decode_session(token: str) -> User | None:
-    """Decode JWT and return the live User, or None if invalid/suspended."""
-    try:
-        payload = decode_token(token, jwt_secret)
-    except _jwt.PyJWTError:
-        return None
+    """Decode JWT (RS256 or HS256) and return the live User, or None if invalid/suspended."""
+    payload = None
+
+    if oidc_private_key_pem:
+        try:
+            from cryptography.hazmat.primitives.serialization import load_pem_private_key
+            priv = load_pem_private_key(oidc_private_key_pem.encode(), password=None)
+            payload = _jwt.decode(
+                token,
+                priv.public_key(),
+                algorithms=["RS256"],
+                options={"verify_aud": False},
+            )
+        except Exception:
+            pass
+
+    if payload is None:
+        try:
+            payload = decode_token(token, jwt_secret)
+        except _jwt.PyJWTError:
+            return None
+
    handle = payload.get("sub")
    if not handle:
        return None