search

NabuCasa / pycognito

Python library for using AWS Cognito. With support for SRP.
Apache License 2.0
126 stars 38 forks source link

Breaking Security Fix in Upstream Dependency (cryptography) #223

Open jrschiestle opened 3 months ago

jrschiestle commented 3 months ago

Hello,

A vulnerability scan flagged the upstream dependency cryptography (pycognito -> pyjwt[crypto] -> cryptography) that is fixed for versions > 42.0.4. See: https://github.com/advisories/GHSA-6vqw-3v5j-54x4

This update to cryptography causing breaking changes where:

from pycognito import Cognito

idToken = '<idToken>'
accessToken = '<accessToken>'

userPoolId='<userPoolId>'
clientId = '<clientId>'
region='<region>'

u = Cognito(
    user_pool_id=userPoolId,
    client_id=clientId,
    user_pool_region=region,
    id_token=idToken,
    access_token=accessToken
)
u.verify_tokens()

Results in:

>> TypeError: argument 'data': from_buffer() cannot return the address of a unicode object

with the error occurring upstream in jwt

If you attempt to pass the tokens in as bytes you get:

>> TypeError: a bytes-like object is required, not 'str'

Where the error occurs within pycognito.

I have created a PR to fix this breaking change by handling the cases at these two points of failure: #222

nk9 commented 1 month ago

Seems like an important fix to get into main. @pvizeli

tomjridge commented 6 days ago

I just hit this issue too.