Skip to content
This repository has been archived by the owner on May 26, 2020. It is now read-only.

jwt_get_secret_key check if user exists #384

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

jwt_get_secret_key check if user exists #384

wants to merge 1 commit into from

Conversation

ghost
Copy link

@ghost ghost commented Sep 28, 2017

When a user with a deleted account tries to access the website with a JWT that is still valid, it causes an error 500. This checks if the user with the given pk exists, and if not, it will return the api_settings.JWT_SECRET_KEY instead of the deleted user's secret key

…h a deleted account tries to access the website
key = str(api_settings.JWT_GET_USER_SECRET_KEY(user))
return key
except User.DoesNotExist:
pass
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jwt.InvalidTokenError() exception should be raised, for sure there is not place for pass statement. Please take a look into the BaseJSONWebTokenAuthentication class where InvalidTokenError exception is handled.

return key
try:
user = User.objects.get(pk=payload.get('user_id'))
key = str(api_settings.JWT_GET_USER_SECRET_KEY(user))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code should be outside of this try ... except block. So it should look like below:

try:
    user = User.objects.get(pk=payload.get('user_id'))
except User.DoesNotExist:
    raise jwt.InvalidTokenError()
else:
    return str(api_settings.JWT_GET_USER_SECRET_KEY(user))

@detectedstealth
Copy link

Any ETA on when this will be merged? I ran into the same issue with a deleted user.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants