mirror of
https://github.com/apidoorman/doorman.git
synced 2026-02-09 19:18:38 -06:00
95 lines
3.3 KiB
Python
95 lines
3.3 KiB
Python
"""
|
|
Test JWT Algorithm Enforcement
|
|
Validates that JWT tokens are decoded with explicit algorithm specification
|
|
"""
|
|
|
|
def test_jwt_algorithm_enforcement():
|
|
"""Test JWT algorithm enforcement to prevent confusion attacks"""
|
|
|
|
print("JWT Algorithm Enforcement Tests")
|
|
print("=" * 70)
|
|
print()
|
|
|
|
# Simulate the jwt.decode configuration from auth_util.py
|
|
algorithm = 'HS256'
|
|
|
|
test_cases = [
|
|
{
|
|
'name': 'Correct configuration in auth_util.py',
|
|
'algorithms': [algorithm],
|
|
'verify_signature': True,
|
|
'vulnerable': False,
|
|
'reason': 'Explicitly enforces HS256, signature verification enabled'
|
|
},
|
|
{
|
|
'name': 'Missing algorithms parameter (VULNERABLE)',
|
|
'algorithms': None,
|
|
'verify_signature': True,
|
|
'vulnerable': True,
|
|
'reason': 'Allows algorithm confusion attacks'
|
|
},
|
|
{
|
|
'name': 'Signature verification disabled (VULNERABLE)',
|
|
'algorithms': [algorithm],
|
|
'verify_signature': False,
|
|
'vulnerable': True,
|
|
'reason': 'Allows forged tokens'
|
|
},
|
|
{
|
|
'name': 'Multiple algorithms allowed (RISKY)',
|
|
'algorithms': ['HS256', 'RS256'],
|
|
'verify_signature': True,
|
|
'vulnerable': True,
|
|
'reason': 'May allow algorithm substitution'
|
|
}
|
|
]
|
|
|
|
for test in test_cases:
|
|
status = '✓ SECURE' if not test['vulnerable'] else '✗ VULNERABLE'
|
|
print(f"{status}: {test['name']}")
|
|
print(f" algorithms={test['algorithms']}")
|
|
print(f" verify_signature={test['verify_signature']}")
|
|
print(f" Reason: {test['reason']}")
|
|
print()
|
|
|
|
print("=" * 70)
|
|
print()
|
|
print("Implementation Details:")
|
|
print()
|
|
print("Location: backend-services/utils/auth_util.py:94-99")
|
|
print()
|
|
print("Current Implementation:")
|
|
print("```python")
|
|
print("payload = jwt.decode(")
|
|
print(" token,")
|
|
print(" SECRET_KEY,")
|
|
print(" algorithms=['HS256'], # Explicitly enforce algorithm")
|
|
print(" options={'verify_signature': True} # Explicitly verify signature")
|
|
print(")")
|
|
print("```")
|
|
print()
|
|
print("Algorithm Confusion Attack Prevention:")
|
|
print()
|
|
print("1. What is algorithm confusion?")
|
|
print(" - Attacker changes JWT header 'alg' from 'HS256' to 'none'")
|
|
print(" - Or switches from HS256 (HMAC) to RS256 (RSA)")
|
|
print(" - Without explicit algorithm enforcement, decoder accepts it")
|
|
print()
|
|
print("2. How we prevent it:")
|
|
print(" - algorithms=['HS256']: Only accept HS256, reject all others")
|
|
print(" - options={'verify_signature': True}: Always verify signature")
|
|
print(" - Both parameters are now explicitly set in auth_util.py")
|
|
print()
|
|
print("3. Security impact:")
|
|
print(" - Prevents 'none' algorithm bypass")
|
|
print(" - Prevents asymmetric key confusion (HS256 vs RS256)")
|
|
print(" - Ensures all tokens are cryptographically verified")
|
|
print()
|
|
print("4. Related files:")
|
|
print(" - utils/auth_util.py:94-99 (main auth)")
|
|
print(" - tests/test_redis_token_revocation_ha.py:48-52 (test code)")
|
|
print()
|
|
|
|
if __name__ == '__main__':
|
|
test_jwt_algorithm_enforcement()
|