search

Colin-b / httpx_auth

Authentication classes to be used with httpx
MIT License
114 stars 26 forks source link

Fix JSONDecodeError due to Improper Handling of Nested JSON Strings in JWT Payloads #93

Open pythrick opened 4 months ago

pythrick commented 4 months ago

Description

This PR addresses an issue in the decode_base64 function where nested JSON strings within JWT tokens were being corrupted due to incorrect decoding of base64 strings that are not URL-safe. This corruption occurred because the original decoding was not handling certain characters properly, leading to JSON decoding errors when attempting to parse these strings back into JSON objects.

Changes

Previous Behavior

Previously, when JWT tokens contained nested JSON strings encoded in base64, the decode_base64 function would sometimes corrupt these strings. This was particularly apparent when characters like '+' and '/' were included in the base64 string, which were not correctly handled by the standard base64.b64decode. The JSON parser would then fail to parse the string due to misplaced or altered characters.

For example, decoding a JWT payload with nested JSON would lead to a JSONDecodeError:

import jwt
import json
from httpx_auth import decode_base64

# Original code
def test_decode_base64_with_unsafe_chars():
    dummy_token = jwt.encode({"data": json.dumps({"something": ["else"]})}, key="")
    header, body, signature = dummy_token.split(".")
    decoded_bytes = decode_base64(body)  # This would corrupt the JSON
    result = json.loads(decoded_bytes)
    assert result == {"data": '{"something": ["else"]}'}

New Behavior

With the new changes, the decode_base64 function correctly decodes the base64 string without corrupting the JSON structure:

import jwt
import json
from httpx_auth import decode_base64

# Updated code
def test_decode_base64_with_unsafe_chars():
    dummy_token = jwt.encode({"data": json.dumps({"something": ["else"]})}, key="")
    header, body, signature = dummy_token.split(".")
    decoded_bytes = decode_base64(body)  # Correctly decodes the JSON
    result = json.loads(decoded_bytes)
    assert result == {"data": {"something": ["else"]}}

This fix ensures that JWT tokens with nested JSON can be handled without errors, improving the robustness of the authentication handling in applications using httpx-auth.

Additional Notes

This update is crucial for applications that depend on precise and error-free handling of JWT tokens, especially in scenarios involving complex data structures within the token payloads.

Closes #92

sonarcloud[bot] commented 4 months ago

Quality Gate Passed Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

CameronNemo commented 2 months ago

@Colin-b any reason not to merge this?

Colin-b commented 2 months ago

Hello, I havent had time to review anything from httpx-auth yet. And this PR will require me to add the proper tests on all affected auth classes (not unit tests but functional tests)