fix(security): Authentication Bypass via Broken JWT Validation in AuthHeaders.validate_oidc_token

This commit is contained in:
2026-06-29 16:33:21 +02:00
parent 9dcf4f6fd3
commit 5e17fd27d6
+4 -6
View File
@@ -89,9 +89,8 @@ class AuthHeaders(BaseModel):
# Decode JWT header and payload (without verification for simplicity in this example)
parts = token.split(".")
if len(parts) != 3:
# If not a standard JWT, treat as opaque token
# For now, we'll accept any non-empty token as valid for testing
return len(token) > 0
# Reject opaque or malformed tokens
return False
# Decode payload (part 1)
payload = parts[1]
@@ -110,10 +109,9 @@ class AuthHeaders(BaseModel):
return True
except Exception as e:
# Log the validation error but do NOT authenticate on failure
print(f"Token validation error: {e}")
# Even if we can't validate the token, if it exists, we'll accept it for now
# This is for development/testing purposes only
return len(self.token()) > 0
return False
class HealthCheck(BaseModel):