fixed security issue in token-service where user-service in login nee…

…ds to send 'X-SERVICE-SECRET' as headers
abbastoof · Aug 16, 2024 · 782ea12 · 782ea12
1 parent 5830e41
commit 782ea12
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 11 deletions.
diff --git a/Backend/token_service/token_service/token_app/views.py b/Backend/token_service/token_service/token_app/views.py
@@ -12,11 +12,9 @@
 from .models import UserTokens
 import jwt
 from rest_framework.permissions import AllowAny
-from dotenv import load_dotenv
-import os
+from django.conf import settings
 
-load_dotenv()
-SECRET = os.environ.get('DJANGO_SECRET')
+SECRET = settings.SECRET_KEY
 
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)
@@ -46,7 +44,12 @@ def post(self, request, *args, **kwargs) -> Response:
                 Response: The response object containing the token details.
         """
         secret_key = request.headers.get('X-SERVICE-SECRET')
-        if secret_key == SECRET:
+        response_message = {}
+        if secret_key is None:
+            response_message = {"error": "Unauthorized request"}
+            logger.info('Invalid secret keys = %s', response_message)
+            status_code = status.HTTP_401_UNAUTHORIZED
+        else:
             response_message = {}
             status_code = status.HTTP_201_CREATED
             id = request.data.get("id")
@@ -93,10 +96,7 @@ def post(self, request, *args, **kwargs) -> Response:
                 except Exception as err:
                     response_message = {"error": str(err)}
                     status_code = status.HTTP_500_INTERNAL_SERVER_ERROR
-        else:
-            logger.info('Invalid secret keys = %s', response_message)
-            response_message = {"error": "Unauthorized request"}
-            status_code = status.HTTP_401_UNAUTHORIZED
+
         logger.info('response_message = %s', response_message)
         return Response(response_message, status=status_code)
 

diff --git a/Backend/user_service/user_service/user_app/user_session_views.py b/Backend/user_service/user_service/user_app/user_session_views.py
@@ -21,6 +21,10 @@
 load_dotenv()
 TOEKNSERVICE = os.environ.get('TOKEN_SERVICE')
 
+headers = {
+    "X-SERVICE-SECRET": settings.SECRET_KEY  # Replace with your actual secret key
+}
+
 logger = logging.getLogger(__name__)
 
 def generate_password():
@@ -69,12 +73,13 @@ def login(self, request):
                         status_code = status.HTTP_200_OK
                     else:
                         data = {"id": serializer.data["id"], "username": serializer.data["username"]}
-                        response = requests.post(f"{TOEKNSERVICE}/auth/token/gen-tokens/", data=data)
+                        response = requests.post(f"{TOEKNSERVICE}/auth/token/gen-tokens/", data=data, headers=headers)
                         if response.status_code == 201:
                             response_message = response.json()
-                        logger.info('user_data = %s', response_message)
+                        logger.info('user_data = %s', response.json())
                         if "error" in response_message:
                             status_code = response_message.get("status_code")
+                            response_message = response.json()
                         else:
                             status_code = status.HTTP_200_OK
                 else: