nigoroll
commented
3 years ago no opinion here, it seems to make sense
Closed ashokdelphia closed 3 years ago
nigoroll
commented
3 years ago no opinion here, it seems to make sense
ashokdelphia
commented
3 years ago The build failure looks broken on master. I've put up a fix in #81.
fitodic
commented
3 years ago @ashokdelphia Thanks for the PR 🙂 Would you mind adding a changelog?
ashokdelphia
commented
3 years ago @ashokdelphia Thanks for the PR 🙂 Would you mind adding a changelog?
Done. Sorry to forget that.
Raise an invalid token error when the incoming token has an unrecognized key id.
Key error isn't obviously incorrect, but looking at how it's used in the jwt package, it looks to generally be used for malformed keys, which I would expect to be a sign something was misconfigured, rather than a bad value from a client.
By switching this to InvalidTokenError, we'll properly handle the error when authenticating. At present, we handle InvalidTokenError and some specific subclasses, but InvalidKeyError bubbles up as an unhandled error leading to a 500 error from Django. (InvalidTokenError and InvalidKeyError are siblings in the exception hierarchy, under PyJWTError.)
(I tried this locally, hitting an authenticated endpoint using a token with an unrecognized key id. Without this change, I get a 500 error for the unhandled InvalidKeyError and with it I get the expected Invalid token / authentication_failed JSON response.)