From e0f57e9de65d06aafe94e506282a96d0b1b7862e Mon Sep 17 00:00:00 2001 From: Wolfgang Hottgenroth Date: Wed, 27 Jan 2021 11:58:47 +0100 Subject: [PATCH] security stuff --- ENV.tmpl | 3 --- auth.py | 15 +-------------- openapi.yaml | 35 ++++++++--------------------------- 3 files changed, 9 insertions(+), 44 deletions(-) diff --git a/ENV.tmpl b/ENV.tmpl index e5dbece..cec2b87 100644 --- a/ENV.tmpl +++ b/ENV.tmpl @@ -5,7 +5,4 @@ export DB_USER="hausverwaltung-ui" export DB_PASS="test123" export DB_NAME="hausverwaltung" -export JWT_ISSUER='de.hottis.hausverwaltung' export JWT_SECRET='streng_geheim' -export JWT_LIFETIME_SECONDS=60 -export JWT_ALGORITHM='HS256' diff --git a/auth.py b/auth.py index 645f298..7243e77 100755 --- a/auth.py +++ b/auth.py @@ -5,26 +5,13 @@ from werkzeug.exceptions import Unauthorized from jose import JWTError, jwt import os -JWT_ISSUER = os.environ['JWT_ISSUER'] JWT_SECRET = os.environ['JWT_SECRET'] -JWT_LIFETIME_SECONDS = int(os.environ['JWT_LIFETIME_SECONDS']) -JWT_ALGORITHM = os.environ['JWT_ALGORITHM'] -def generate_token(user_id): - timestamp = _current_timestamp() - payload = { - "iss": JWT_ISSUER, - "iat": int(timestamp), - "exp": int(timestamp + JWT_LIFETIME_SECONDS), - "sub": str(user_id), - } - return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM) - def decode_token(token): try: - return jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM]) + return jwt.decode(token, JWT_SECRET) except JWTError as e: six.raise_from(Unauthorized, e) diff --git a/openapi.yaml b/openapi.yaml index a4e0471..b798ee0 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -3,6 +3,9 @@ info: title: Hausverwaltung version: "0.1" +security: + - jwt: [] + paths: /hv/objekte: get: @@ -304,36 +307,16 @@ paths: tags: [ "Zahlung" ] operationId: ZahlungenForderungen.put_zahlung summary: Inserts a new Zahlung - parameters: - - name: zahlung - in: body - schema: - $ref: '#/components/schemas/Zahlung' + requestBody: + content: + 'application/json': + schema: + $ref: '#/components/schemas/Zahlung' responses: 202: description: Zahlung successfully inserted 500: description: Some server or database error - /auth/{user_id}: - get: - tags: [ "JWT" ] - summary: Return JWT token - operationId: auth.generate_token - parameters: - - name: user_id - description: User unique identifier - in: path - required: true - example: 12 - schema: - type: integer - responses: - '200': - description: JWT token - content: - 'text/plain': - schema: - type: string /secret: get: tags: [ "JWT" ] @@ -346,8 +329,6 @@ paths: 'text/plain': schema: type: string - security: - - jwt: ['secret']