Revoke access token if user password is changed#719
Revoke access token if user password is changed#719Andrew-Chen-Wang merged 18 commits intojazzband:masterfrom
Conversation
for more information, see https://pre-commit.ci
for more information, see https://pre-commit.ci
for more information, see https://pre-commit.ci
* Update `django.po` for id translation * Update `django.mo` for Bahasa Indonesia (id) translations.
Co-authored-by: Mahdi <mahdi@Mahdis-MacBook-Pro.local>
In ""TOKEN_OBTAIN_SERIALIZER": "rest_framework_simplejwt.serializers.MyTokenObtainPairSerializer"," replaced "rest_framework_simplejwt" to "my_app" to make it clearer that it should be a custom path, since the Django app folder having the same name as the library was confusing and hard to fix if copy and pasting in a hurry.
* Added write_only=True for better doc generation Auto doc generators can perform better and generate more accurate docs by having this argument. Username field in TokenObtainSerializer and token in TokenVerifySerializer has been changed. * Added write_only=True to TokenBlacklistSerializer's refresh field
* Add support for Django 4.2 * Exclude DRF 3.13 & Django 4.2 CI combination
* [pre-commit.ci] pre-commit autoupdate updates: - [github.com/asottile/yesqa: v1.4.0 → v1.5.0](asottile/yesqa@v1.4.0...v1.5.0) - [github.com/psf/black: 22.12.0 → 23.3.0](psf/black@22.12.0...23.3.0) - [github.com/asottile/pyupgrade: v3.3.1 → v3.7.0](asottile/pyupgrade@v3.3.1...v3.7.0) * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
* Support `override_api_settings` as decorator * Update test_authentication * black formatting test_authentication * Use drf status instead of literal status * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Update test_integration * Update test_serializers * Update test_integration * Update test_token_blacklist * Update test_tokens * Update test_views * add `setUpTestData` to `TestToken` * fix typo `self` should be `cls` --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
@Andrew-Chen-Wang |
|
you should run the tests locally and debug. Follow our docs |
OK |
|
All tests passed. |
|
removing tests is not valid. |
I already added that line of the test to the test_get_user method, and these changes are implemented in the test_get_user_with_check_revoke_token. |
|
|
sorry didn't notice; only read latest commit. Thanks again:) |
|
Could you please change this from MD5 to SHA256? MD5 is not considered secure and is considered a very fast hash to compute, so makes it more ideal for brute-force attempts. I think given the level of importance to this data, which is normally secured in a database, is now outside, there is every more reason to use a much more secure hashing algorithm for this instead, such as SHA256. Would be a very quick fix and would greatly appreciate. |
|
Though I'd agree, here are a few items to consider:
There wouldn't be any breaking changes. A PR would only involve checking first the new hash function then the MD hash. Really, it's a performance thing, and a PR which should be small is always appreciated. |
|
Could you expand a little more on JWT being encrypted? As far as I'm aware, the JWT is only encoding with base64, which can easily be decoded. I hear your point regarding SHA256 adding load on the CPU. I suppose I feel a little restless thinking that the users hashed password could potentially be leaked, given MD5 insecurities, which still isn't so devastating in itself, as the users password is still hashed, or should be as you mentioned. Personally I would feel a lot better if it was something more recent than MD5 - but I do agree on the CPU load argument, which might make MD5 more suitable for this use. I guess this feature is also optional at the end of the day! Thanks for considering the request and for your response! |
Different authentication systems create JWTs differently. With this library, we instruct users to create an HMAC or RSA (or other cryptography-supported algorithms) to encrypt our JWT. You can take a look at backend.py on how we use PyJWT and pass our algorithm to encrypt the JWT payload. The final JWT is what you're thinking of being base64 encoded, but typically JWT payloads are encrypted. As a note, the "payload" is a term for the middle segment of the JWT itself! |
9 participants
In this pull request, I have added a new key to the JWT token payload called hash_password, which is generated through the following function:
Then, during JWT token validation, I check if the current user password matches the value in the hash_password field of the JWT token payload. If these two values are not equal, it means that the user has changed their password.
Additionally, the tests related to JWT token validation have also been updated accordingly with these changes.