Verify Serializer Should Honour Blacklist #239
Conversation
There was a problem hiding this comment.
Thanks for your contribution! Left my review of your PR. Please resolve each comment as you make those changes. Sorry for taking so long @philipp-siegmantel Just getting exponentially busier with college comin' up.
I think from a security standpoint, it looks fine. You can see the description for the token type is:
https://github.com/SimpleJWT/django-rest-framework-simplejwt/blob/master/rest_framework_simplejwt/tokens.py#L299-L303
Untyped tokens do not verify the "token_type" claim. This is useful
when performing general validation of a token's signature and other
properties which do not relate to the token's intended use.
I think only L158 is a concern. I'll leave another comment for that, but basically, you don't want to let someone know that it's blacklisted.
|
Closes #231 Hopefully that links with the issue so that the issue automatically closes. |
|
I add your suggestions, thanks for them. Now I have a problem I can't seem to fix. The test checks that the blacklisted token does not verify, fails. This is due to the |
|
Quick question: would it be better if we had Travis? Would probably make reviewing PRs and seeing where tests failed easier since it's embedded into the GH site. |
|
Ok, now all tests pass. An attacker could still infer that a token is an access token, but only if it is blacklisted, so I see no problem. |
|
I think some form of CI would be great. Github has Actions, witch are pretty simple to set up. EDIT: I see you use CircleCI. |
Yea, not a fan of CircleCI; that was here before I started using GitHub. I like GitHub actions for CI/CD when it comes to testing certain things and publishing/deployment (e.g. AWS services testing without Moto and AWS deployment). But Travis CI has a nicer interface, especially for open source projects because the builds are individualized via the TOXENV. Additionally, testing the configuration of .travis.yml is a little more smooth and visibly more appealing. Some great things about GitHub actions are like if a certain path has a file change, then execute an action, whereas Travis doesn't support that.
Perhaps with certain configurations. Not too big of a problem for most Django websites since an attacker is not going to know some random website. |
|
Hi guys |
|
@auvipy do you mind reviewing this as well? I was waiting for David for a second opinion, but obviously he's absent now. |
|
|
||
|
|
||
| class TokenVerifySerializerShouldHonourBlacklist(MigrationTestCase): | ||
| migrate_from = ('token_blacklist', '0002_outstandingtoken_jti_hex') |
There was a problem hiding this comment.
this is testing migration but the PR is not showing any migration changes, or it was already done but not tested?
There was a problem hiding this comment.
Yea those migrations were already done and come from https://github.com/jazzband/django-rest-framework-simplejwt/tree/master/rest_framework_simplejwt/token_blacklist/migrations
With this patch, the TokenVerifySerializer checks the blacklist if the app is installed.
See Issue #231.