search

cds-snc / notification-planning

Project planning for GC Notify Team
5 stars 0 forks source link

Using JWT with api can raise uncaught server errors #818

Open sastels opened 2 years ago

sastels commented 2 years ago

Describe the bug

A service tried using JWTs in their api requests, causing uncaught TokenAlgorithmError errors

Bug Severity

See examples in the documentation

(SEV-1 Critical, SEV-2 Major, SEV-3 Minor, SEV-4 Low) SEV-3 ? can trigger OpsGenie, and we probably don't send back a meaningful error message

To Reproduce

Try to use a bad JWT with api

Expected behavior

api handles the error by sending back an error message and does not crash.

Impact

CDS staff: can trigger Alerts Service owners: can get back unhelpful error messages

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Incident report

Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/notifications_python_client/authentication.py", line 97, in decode_jwt_token
decoded_token = jwt.decode(
File "/usr/local/lib/python3.9/site-packages/jwt/api_jwt.py", line 119, in decode
decoded = self.decode_complete(jwt, key, algorithms, options, **kwargs)
File "/usr/local/lib/python3.9/site-packages/jwt/api_jwt.py", line 90, in decode_complete
decoded = api_jws.decode_complete(
File "/usr/local/lib/python3.9/site-packages/jwt/api_jws.py", line 149, in decode_complete
self._verify_signature(signing_input, header, signature, key, algorithms)
File "/usr/local/lib/python3.9/site-packages/jwt/api_jws.py", line 229, in _verify_signature
raise InvalidAlgorithmError("The specified alg value is not allowed")
jwt.exceptions.InvalidAlgorithmError: The specified alg value is not allowed

During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1514, in full_dispatch_request
rv = self.preprocess_request()
File "/opt/python/lib/python3.9/site-packages/newrelic/api/function_trace.py", line 166, in literal_wrapper
return wrapped(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1857, in preprocess_request
rv = self.ensure_sync(before_func)()
File "/opt/python/lib/python3.9/site-packages/newrelic/hooks/framework_flask.py", line 374, in _nr_wrapper_Blueprint_before_request_wrapped_
return wrapped(*args, **kwargs)
File "/app/app/authentication/auth.py", line 120, in requires_auth
decode_jwt_token(auth_token, api_key.secret)
File "/usr/local/lib/python3.9/site-packages/notifications_python_client/authentication.py", line 110, in decode_jwt_token
raise TokenAlgorithmError
yaelberger-commits commented 2 years ago

Hey team! Please add your planning poker estimate with Zenhub @andrewleith @jimleroyer @jzbahrai @sastels