search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
5.05k stars 676 forks source link

How do I detect an invalid token? #839

Closed moonman239 closed 1 year ago

moonman239 commented 1 year ago

Suppose a hacker tries to pass a token to my server, that did not originate from my server. How do I detect when this happens?

I am guessing that If the token was not something generated and signed with my key, then one of two things will happen: 1) pyjwt will throw a JSONDecode error. jwt.decode won't even be able to decode the token, as the decryption algorithm will produce garbledygook. 2) jwt.decode returns an object, but it won't have any of the expected keys (because, again, garbledygook) so any attempt to access an expected key will result in a KeyError.

kairat-beep commented 1 year ago

Specification of JWT

  1. Verify that the resulting octet sequence is a UTF-8-encoded representation of a completely valid JSON object conforming to RFC 7159 [RFC7159]; let the JWT Claims Set be this JSON object.

That is what you get

import jwt key = "secret" encoded = jwt.encode({"some": "payload"}, key, algorithm="HS256") print(encoded)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg

jwt.decode(encoded, key, algorithms="HS256")

{'some': 'payload'}

mal_encoded = "345"+encoded jwt.decode(mal_encoded, key, algorithms="HS256")

Traceback (most recent call last): File "C:\Users\kaira\AppData\Local\Programs\Python\Python310\lib\site-packages\jwt\api_jws.py", line 261, in _load header = json.loads(header_data) File "C:\Users\kaira\AppData\Local\Programs\Python\Python310\lib\json__init__.py", line 341, in loads s = s.decode(detect_encoding(s), 'surrogatepass') UnicodeDecodeError: 'utf-8' codec can't decode byte 0x88 in position 9: invalid start byte

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "", line 1, in File "C:\Users\kaira\AppData\Local\Programs\Python\Python310\lib\site-packages\jwt\api_jwt.py", line 168, in decode decoded = self.decode_complete( File "C:\Users\kaira\AppData\Local\Programs\Python\Python310\lib\site-packages\jwt\api_jwt.py", line 120, in decode_complete decoded = api_jws.decode_complete( File "C:\Users\kaira\AppData\Local\Programs\Python\Python310\lib\site-packages\jwt\api_jws.py", line 191, in decode_complete payload, signing_input, header, signature = self._load(jwt) File "C:\Users\kaira\AppData\Local\Programs\Python\Python310\lib\site-packages\jwt\api_jws.py", line 263, in _load raise DecodeError(f"Invalid header string: {e}") from e jwt.exceptions.DecodeError: Invalid header string: 'utf-8' codec can't decode byte 0x88 in position 9: invalid start byt

kairat-beep commented 1 year ago

Bad key gives

Traceback (most recent call last): File "", line 1, in File "C:\Users\kaira\AppData\Local\Programs\Python\Python310\lib\site-packages\jwt\api_jwt.py", line 168, in decode decoded = self.decode_complete( File "C:\Users\kaira\AppData\Local\Programs\Python\Python310\lib\site-packages\jwt\api_jwt.py", line 120, in decode_complete decoded = api_jws.decode_complete( File "C:\Users\kaira\AppData\Local\Programs\Python\Python310\lib\site-packages\jwt\api_jws.py", line 202, in decode_complete self._verify_signature(signing_input, header, signature, key, algorithms) File "C:\Users\kaira\AppData\Local\Programs\Python\Python310\lib\site-packages\jwt\api_jws.py", line 301, in _verify_signature raise InvalidSignatureError("Signature verification failed") jwt.exceptions.InvalidSignatureError: Signature verification failed

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days