Unhandled ObjectDoesNotExist in `jwt_get_secret_key`

[pgergov]

Steps to reproduce:

• Generate JWT token
• Go to https://jwt.io/ and change id inside the payload with non-existing one (according to your DB)
• Use malwared JWT token for your next request
• Hit endpoint with JWT authorization. You'll receive:

BaseUser matching query does not exist.

Code can be seen here https://github.com/GetBlimp/django-rest-framework-jwt/blob/master/rest_framework_jwt/utils.py#L26

Steps to fix

• Exception should be handled
• Every .get method should be wrapped in try/except catching ObjectDoesNotExist
• If you don't want to try/except, do .filter(...).first() and check if resource is not None

P.S. Am I missing something here? Is there a way to avoid this, or code change is required?

[ghost]

Happens also when users who's account got deleted try to authenticate with pre-deletion received tokens. Hope the bug gets fixed as soon as possible.

[lahim]

As long as this issue is not fixed you can try to do this as below:

override a JWT_DECODE_HANDLER as presented below:

def jwt_decode_handler(token):
    User = get_user_model()
    try:
        decode_value = rest_utils.jwt_decode_handler(token)
    except User.DoesNotExist:
        raise jwt.InvalidTokenError()
    return decode_value

The most important thing is place where jwt.InvalidTokenError is raised. In BaseJSONWebTokenAuthentication this exception is handled:

        try:
            payload = jwt_decode_handler(jwt_value)
        except jwt.ExpiredSignature:
            msg = _('Signature has expired.')
            raise exceptions.AuthenticationFailed(msg)
        except jwt.DecodeError:
            msg = _('Error decoding signature.')
            raise exceptions.AuthenticationFailed(msg)
        except jwt.InvalidTokenError:
            raise exceptions.AuthenticationFailed()

and DRF exception AuthenticationFailed is raised.