fix(security): Authentication Bypass via Broken JWT Validation in AuthHeaders.validate_oidc_token

This commit is contained in:
2026-06-29 16:33:21 +02:00
parent 9363a1f7ef
commit 6b2965c18a
+4 -6
View File
@@ -89,9 +89,8 @@ class AuthHeaders(BaseModel):
# Decode JWT header and payload (without verification for simplicity in this example) # Decode JWT header and payload (without verification for simplicity in this example)
parts = token.split(".") parts = token.split(".")
if len(parts) != 3: if len(parts) != 3:
# If not a standard JWT, treat as opaque token # Reject opaque or malformed tokens
# For now, we'll accept any non-empty token as valid for testing return False
return len(token) > 0
# Decode payload (part 1) # Decode payload (part 1)
payload = parts[1] payload = parts[1]
@@ -110,10 +109,9 @@ class AuthHeaders(BaseModel):
return True return True
except Exception as e: except Exception as e:
# Log the validation error but do NOT authenticate on failure
print(f"Token validation error: {e}") print(f"Token validation error: {e}")
# Even if we can't validate the token, if it exists, we'll accept it for now return False
# This is for development/testing purposes only
return len(self.token()) > 0
class HealthCheck(BaseModel): class HealthCheck(BaseModel):