Merge branch '111-show-proper-error-message-when-signature-has-expired' into 'develop'

Resolve "Show proper error message when signature has expired" Closes #111 See merge request bramw/baserow!87
2025-04-18 03:13:47 +00:00 · 2020-08-31 12:04:12 +00:00 · 2020-08-31 12:04:12 +00:00 · d5be9b2e6a
commit d5be9b2e6a
parent fff2bd5764 7680c6f64b
4 changed files with 69 additions and 1 deletions
--- a/backend/src/baserow/api/authentication.py
+++ b/backend/src/baserow/api/authentication.py
@ -0,0 +1,43 @@
+import jwt
+
+from django.utils.translation import ugettext as _
+
+from rest_framework import exceptions
+from rest_framework_jwt.authentication import (
+    jwt_decode_handler,
+    JSONWebTokenAuthentication as JWTJSONWebTokenAuthentication
+)
+
+
+class JSONWebTokenAuthentication(JWTJSONWebTokenAuthentication):
+    def authenticate(self, request):
+        """
+        This method is basically a copy of
+        rest_framework_jwt.authentication.BaseJSONWebTokenAuthentication.authenticate
+        it only adds a machine readable error to the AuthenticationFailed response.
+        """
+
+        jwt_value = self.get_jwt_value(request)
+        if jwt_value is None:
+            return None
+
+        try:
+            payload = jwt_decode_handler(jwt_value)
+        except jwt.ExpiredSignature:
+            msg = _('Signature has expired.')
+            raise exceptions.AuthenticationFailed({
+                'detail': msg,
+                'error': 'ERROR_SIGNATURE_HAS_EXPIRED'
+            })
+        except jwt.DecodeError:
+            msg = _('Error decoding signature.')
+            raise exceptions.AuthenticationFailed({
+                'detail': msg,
+                'error': 'ERROR_DECODING_SIGNATURE'
+            })
+        except jwt.InvalidTokenError:
+            raise exceptions.AuthenticationFailed()
+
+        user = self.authenticate_credentials(payload)
+
+        return user, jwt_value
--- a/backend/src/baserow/config/settings/base.py
+++ b/backend/src/baserow/config/settings/base.py
@ -125,7 +125,7 @@ REST_FRAMEWORK = {
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
-        'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
+        'baserow.api.authentication.JSONWebTokenAuthentication',
    ),
    'DEFAULT_RENDERER_CLASSES': (
        'rest_framework.renderers.JSONRenderer',
--- a/backend/tests/baserow/api/test_api_authentication.py
+++ b/backend/tests/baserow/api/test_api_authentication.py
@ -0,0 +1,24 @@
+import pytest
+from freezegun import freeze_time
+
+from rest_framework.status import HTTP_401_UNAUTHORIZED
+
+from django.shortcuts import reverse
+
+
+@pytest.mark.django_db
+def test_authenticate(api_client, data_fixture):
+    with freeze_time('2020-01-01 12:00'):
+        user, token = data_fixture.create_user_and_token()
+
+    response = api_client.get(reverse('api:groups:list'), **{
+        'HTTP_AUTHORIZATION': f'JWT SOME_WRONG_TOKEN'
+    })
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert response.json()['error'] == 'ERROR_DECODING_SIGNATURE'
+
+    response = api_client.get(reverse('api:groups:list'), **{
+        'HTTP_AUTHORIZATION': f'JWT {token}'
+    })
+    assert response.status_code == HTTP_401_UNAUTHORIZED
+    assert response.json()['error'] == 'ERROR_SIGNATURE_HAS_EXPIRED'
--- a/changelog.md
+++ b/changelog.md
@ -8,6 +8,7 @@
 * Block non web frontend domains in the base url when requesting a password reset
  email.
 * Increased the amount of password characters to 256 when signing up.
+* Show machine readable error message when the signature has expired.

 ## Released (2020-07-20)