Verify Serializer Should Honour Blacklist#239
Verify Serializer Should Honour Blacklist#239Andrew-Chen-Wang merged 7 commits intojazzband:masterfrom TeresaSiegmantel:blacklisted_token_should_not_verify
Conversation
There was a problem hiding this comment.
Thanks for your contribution! Left my review of your PR. Please resolve each comment as you make those changes. Sorry for taking so long @philipp-siegmantel Just getting exponentially busier with college comin' up.
I think from a security standpoint, it looks fine. You can see the description for the token type is:
https://github.com/SimpleJWT/django-rest-framework-simplejwt/blob/master/rest_framework_simplejwt/tokens.py#L299-L303
Untyped tokens do not verify the "token_type" claim. This is useful
when performing general validation of a token's signature and other
properties which do not relate to the token's intended use.
I think only L158 is a concern. I'll leave another comment for that, but basically, you don't want to let someone know that it's blacklisted.
|
Closes #231 Hopefully that links with the issue so that the issue automatically closes. |
|
I add your suggestions, thanks for them. Now I have a problem I can't seem to fix. The test checks that the blacklisted token does not verify, fails. This is due to the |
Andrew-Chen-Wang
left a comment
Andrew-Chen-Wang
left a comment
There was a problem hiding this comment.
You might've used the wrong name for settings. @philipp-siegmantel
|
Quick question: would it be better if we had Travis? Would probably make reviewing PRs and seeing where tests failed easier since it's embedded into the GH site. |
|
Ok, now all tests pass. An attacker could still infer that a token is an access token, but only if it is blacklisted, so I see no problem. |
|
I think some form of CI would be great. Github has Actions, witch are pretty simple to set up. EDIT: I see you use CircleCI. |
Yea, not a fan of CircleCI; that was here before I started using GitHub. I like GitHub actions for CI/CD when it comes to testing certain things and publishing/deployment (e.g. AWS services testing without Moto and AWS deployment). But Travis CI has a nicer interface, especially for open source projects because the builds are individualized via the TOXENV. Additionally, testing the configuration of .travis.yml is a little more smooth and visibly more appealing. Some great things about GitHub actions are like if a certain path has a file change, then execute an action, whereas Travis doesn't support that.
Perhaps with certain configurations. Not too big of a problem for most Django websites since an attacker is not going to know some random website. |
|
Hi guys |
|
@auvipy do you mind reviewing this as well? I was waiting for David for a second opinion, but obviously he's absent now. |
auvipy
left a comment
auvipy
left a comment
There was a problem hiding this comment.
docs/changelog should be updated as well
|
|
||
|
|
||
| class TokenVerifySerializerShouldHonourBlacklist(MigrationTestCase): | ||
| migrate_from = ('token_blacklist', '0002_outstandingtoken_jti_hex') |
There was a problem hiding this comment.
this is testing migration but the PR is not showing any migration changes, or it was already done but not tested?
There was a problem hiding this comment.
Yea those migrations were already done and come from https://github.com/jazzband/django-rest-framework-simplejwt/tree/master/rest_framework_simplejwt/token_blacklist/migrations
4 participants
With this patch, the TokenVerifySerializer checks the blacklist if the app is installed.
See Issue #231.