fix token audience/scopes validation

uc-cdis · Jan 27, 2023 · 0f76865 · 0f76865
1 parent be159a9
commit 0f76865
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 4 deletions.
diff --git a/sheepdog/blueprint/routes/views/__init__.py b/sheepdog/blueprint/routes/views/__init__.py
@@ -54,7 +54,11 @@ def get_programs():
         }
     """
     if flask.current_app.config.get("AUTH_SUBMISSION_LIST", True) is True:
-        auth.validate_request(aud={"openid"}, purpose=None)
+        auth.validate_request(
+            scope={"openid"},
+            audience=flask.current_app.config.get("BASE_URL"),
+            purpose=None,
+        )
     with flask.current_app.db.session_scope():
         programs = current_app.db.nodes(models.Program.name).all()
     links = [flask.url_for(".get_projects", program=p[0]) for p in programs]

diff --git a/sheepdog/blueprint/routes/views/program/__init__.py b/sheepdog/blueprint/routes/views/program/__init__.py
@@ -59,7 +59,11 @@ def get_projects(program):
         }
     """
     if flask.current_app.config.get("AUTH_SUBMISSION_LIST", True) is True:
-        auth.validate_request(aud={"openid"}, purpose=None)
+        auth.validate_request(
+            scope={"openid"},
+            audience=flask.current_app.config.get("BASE_URL"),
+            purpose=None,
+        )
     with flask.current_app.db.session_scope():
         matching_programs = flask.current_app.db.nodes(models.Program).props(
             name=program

diff --git a/sheepdog/blueprint/routes/views/program/project.py b/sheepdog/blueprint/routes/views/program/project.py
@@ -132,7 +132,11 @@ def get_project_dictionary(program=None, project=None):
         403: Unauthorized request.
     """
     if flask.current_app.config.get("AUTH_SUBMISSION_LIST", True) is True:
-        auth.validate_request(aud={"openid"}, purpose=None)
+        auth.validate_request(
+            scope={"openid"},
+            audience=flask.current_app.config.get("BASE_URL"),
+            purpose=None,
+        )
     keys = list(dictionary.schema.keys()) + ["_all"]
     links = [
         flask.url_for(
@@ -228,7 +232,11 @@ def get_project_dictionary_entry(program, project, entry):
         403: Unauthorized request.
     """
     if flask.current_app.config.get("AUTH_SUBMISSION_LIST", True) is True:
-        auth.validate_request(aud={"openid"}, purpose=None)
+        auth.validate_request(
+            scope={"openid"},
+            audience=flask.current_app.config.get("BASE_URL"),
+            purpose=None,
+        )
     return get_dictionary_entry(entry)