search

openmainframeproject / feilong

Feilong is a open source z/VM cloud connector project under the Open Mainframe Project umbrella that will accelerate the z/VM adoption, extending its ecosystem and its user experience. It provides a set of APIs to operate z/VM including guest, image, network, volume etc.
https://www.openmainframeproject.org/projects/feilong
Apache License 2.0
35 stars 70 forks source link

Fix auth mechanism 2/3 #779

Closed Bischoff closed 9 months ago

Bischoff commented 9 months ago

When running the command 

$ curl http://localhost/ -H "Content-Type:application/json" -H 'X-Auth-Token:<user token>'

with the user token provided by the CreateToken() function, one systematically gets:

HTTP status: 401, body: {"overallRC": 400, "rc": 400, "rs": 401, "modID": 120, "output": "", "errmsg": "This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required."}

The logs in DEBUG mode show the message:

[2023-12-12 22:16:57] [DEBUG] token not valid

After debugging, it appears that the function jwt.decode() now needs a third argument with the decoding algorithms, as shown by this small python program:

import jwt

key = "zvX2mFxuj8HcrYkAacLReV0RTQ0K5IIEighOR9F8AG"
encoded = jwt.encode({ "exp": 1702422356 }, key)
print(encoded)
# BAD:
jwt.decode(encoded, key)
# GOOD:
# jwt.decode(encoded, key, algorithms="HS256")

This PR prevents that decoding exception when using authentication tokens, by adding this missing parameter.

bjhuangr commented 9 months ago

Thanks for the fixing

Bischoff commented 9 months ago

Thanks for the fixing

Thanks for the review and merge.