Crash when handling publisher-generated JWT grant token with invalid account ID - Githubissues

hypothesis / h

Annotate with anyone, anywhere.

https://hypothes.is/

BSD 2-Clause "Simplified" License

2.94k stars 427 forks source link

Crash when handling publisher-generated JWT grant token with invalid account ID #5661

Open robertknight opened 5 years ago

robertknight commented 5 years ago

https://sentry.io/organizations/hypothesis/issues/1106040600/

A crash occurs if a publisher with keys for an authority generates a grant token for an invalid user ID (eg. acct:@authority) and the client POSTs it to the /api/token route.

In one of the reports in the linked Sentry issue, the contents of the JWT token submitted to the endpoint was:

{
  "aud": "hypothes.is",
  "iss": "d9bb38d6-9c38-11e9-9718-935e4c0dc38c",
  "sub": "acct:@h.jonudell.info",
  "nbf": 1563383764,
  "exp": 1563384364
}

robertknight commented 5 years ago

FYI @judell

sentry-io[bot] commented 5 years ago

Sentry issue: H-1QA