fix(security): Authentication Bypass via Broken JWT Validation in AuthHeaders.validate_oidc_token
This commit is contained in:
+4
-6
@@ -89,9 +89,8 @@ class AuthHeaders(BaseModel):
|
||||
# Decode JWT header and payload (without verification for simplicity in this example)
|
||||
parts = token.split(".")
|
||||
if len(parts) != 3:
|
||||
# If not a standard JWT, treat as opaque token
|
||||
# For now, we'll accept any non-empty token as valid for testing
|
||||
return len(token) > 0
|
||||
# Reject opaque or malformed tokens
|
||||
return False
|
||||
|
||||
# Decode payload (part 1)
|
||||
payload = parts[1]
|
||||
@@ -110,10 +109,9 @@ class AuthHeaders(BaseModel):
|
||||
|
||||
return True
|
||||
except Exception as e:
|
||||
# Log the validation error but do NOT authenticate on failure
|
||||
print(f"Token validation error: {e}")
|
||||
# Even if we can't validate the token, if it exists, we'll accept it for now
|
||||
# This is for development/testing purposes only
|
||||
return len(self.token()) > 0
|
||||
return False
|
||||
|
||||
|
||||
class HealthCheck(BaseModel):
|
||||
|
||||
Reference in New Issue
Block a user