Merge pull request #146 from ahopkins/dev

ahopkins · web-flow · commit 0b56cd675579 · 2018-12-04T22:45:36.000+02:00
Version 1.2.1 - 2018-12-04
diff --git a/docs/source/conf.py b/docs/source/conf.py
@@ -56,7 +56,7 @@
 # The short X.Y version.
 version = u"1.2"
 # The full version, including alpha/beta/rc tags.
-release = u"1.2.0"
+release = u"1.2.1"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/docs/source/pages/changelog.rst b/docs/source/pages/changelog.rst
@@ -4,6 +4,14 @@ Changelog
 
 The format is based on `Keep a Changelog <http://keepachangelog.com/en/1.0.0/>`_ and this project adheres to `Semantic Versioning <http://semver.org/spec/v2.0.0.html>`_.
 
+++++++++++++++++++++++++++
+Version 1.2.1 - 2018-12-04
+++++++++++++++++++++++++++
+
+| **Fixed**
+| - `#143 <https://github.com/ahopkins/sanic-jwt/issues/143>`_. Security bug resolved on empty tokens
+|
+
 ++++++++++++++++++++++++++
 Version 1.2.0 - 2018-08-06
 ++++++++++++++++++++++++++
diff --git a/sanic_jwt/__init__.py b/sanic_jwt/__init__.py
@@ -1,4 +1,4 @@
-__version__ = "1.2.0"
+__version__ = "1.2.1"
 __author__ = "Adam Hopkins"
 __credits__ = "Richard Kuesters"
 
diff --git a/sanic_jwt/authentication.py b/sanic_jwt/authentication.py
@@ -289,7 +289,7 @@ def _get_token(self, request, refresh_token=False):
         """
         if self.config.cookie_set():
             token = self._get_token_from_cookies(request, refresh_token)
-            if token is not None:
+            if token:
                 return token
 
             else:
@@ -298,15 +298,16 @@ def _get_token(self, request, refresh_token=False):
 
         if self.config.query_string_set():
             token = self._get_token_from_query_string(request, refresh_token)
-            if token is not None:
+            if token:
                 return token
 
             else:
                 if self.config.query_string_strict():
                     raise exceptions.MissingAuthorizationQueryArg()
 
         token = self._get_token_from_headers(request, refresh_token)
-        if token is not None:
+
+        if token:
             return token
 
         raise exceptions.MissingAuthorizationHeader()
diff --git a/setup.py b/setup.py
@@ -18,7 +18,7 @@
 
 setup(
     name="sanic-jwt",
-    version="1.2.0",
+    version="1.2.1",
     description="JWT oauth flow for Sanic",
     url="https://github.com/ahopkins/sanic-jwt",
     download_url="https://github.com/ahopkins/sanic-jwt/archive/master.zip",
diff --git a/tests/test_endpoints_basic.py b/tests/test_endpoints_basic.py
@@ -72,6 +72,26 @@ def test_auth_verify_missing_token_debug(app):
     assert "Authorization header not present." in response.json.get("reasons")
 
 
+def test_auth_verify_invalid_token(app):
+    sanic_app, _ = app
+    _, response = sanic_app.test_client.get(
+        "/auth/verify", headers={"Authorization": "Bearer "}
+    )
+    assert response.status == 400
+    assert response.json.get("exception") == "InvalidAuthorizationHeader"
+    assert "Authorization header is invalid." in response.json.get("reasons")
+
+
+def test_auth_verify_invalid_token(app):
+    sanic_app, _ = app
+    _, response = sanic_app.test_client.get(
+        "/auth/verify", headers={"Authorization": "Bearer "}
+    )
+    assert response.status == 401
+    assert response.json.get("exception") == "MissingAuthorizationHeader"
+    assert "Authorization header not present." in response.json.get("reasons")
+
+
 def test_auth_refresh_not_found(app):
     sanic_app, _ = app
     _, response = sanic_app.test_client.post("/auth/refresh")
diff --git a/tests/test_endpoints_cookies.py b/tests/test_endpoints_cookies.py
@@ -365,3 +365,16 @@ def test_refresh_token_with_cookies_not_strict(
             sanicjwt.config.cookie_refresh_token_name(), None
         ) is None  # there is no new refresh token
         assert sanicjwt.config.cookie_refresh_token_name() not in response.json
+
+    def test_auth_verify_invalid_token(self, app_with_refresh_token):
+        sanic_app, sanicjwt = app_with_refresh_token
+
+        _, response = sanic_app.test_client.get(
+            "/auth/verify",
+            cookies={sanicjwt.config.cookie_access_token_name(): ""},
+        )
+        assert response.status == 401
+        assert response.json.get("exception") == "MissingAuthorizationCookie"
+        assert "Authorization cookie not present." in response.json.get(
+            "reasons"
+        )
diff --git a/tests/test_endpoints_query_string.py b/tests/test_endpoints_query_string.py
@@ -334,3 +334,17 @@ def test_refresh_token_with_query_string_not_strict(
             sanicjwt.config.query_string_refresh_token_name(), None
         ) is None  # there is no new refresh token
         assert sanicjwt.config.query_string_refresh_token_name() not in response.json
+
+    def test_auth_verify_invalid_token(self, app_with_refresh_token):
+        sanic_app, sanicjwt = app_with_refresh_token
+
+        _, response = sanic_app.test_client.get(
+            "/auth/verify?{}=".format(
+                sanicjwt.config.cookie_access_token_name()
+            )
+        )
+        assert response.status == 401
+        assert response.json.get("exception") == "MissingAuthorizationQueryArg"
+        assert "Authorization query argument not present." in response.json.get(
+            "reasons"
+        )
diff --git a/tests/test_static.py b/tests/test_static.py
diff --git a/tox.ini b/tox.ini
@@ -59,7 +59,7 @@ commands =
 deps = coverage
 skip_install = true
 commands =
-    ; coverage combine --append
+    coverage combine --append
     coverage report
     coverage html
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-__version__ = "1.2.0"`
	`1`	`+__version__ = "1.2.1"`
`2`	`2`	`__author__ = "Adam Hopkins"`
`3`	`3`	`__credits__ = "Richard Kuesters"`
`4`	`4`