Verify JWT Decode

2025-03-03 18:40:39 +00:00 · 2025-02-28 03:06:00 +00:00 · 2025-02-28 03:06:00 +00:00 · 13ab233979
commit 13ab233979
parent 2965356ef2
2 changed files with 3 additions and 4 deletions
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@ -229,8 +229,7 @@ class AuthenticationService:
                str(current_app.secret_key),
                algorithms=[SPIFF_GENERATED_JWT_ALGORITHM],
                audience=SPIFF_GENERATED_JWT_AUDIENCE,
-                options={"verify_exp": False},
-            )
+                options={"verify_exp": True})
        else:
            algorithm = str(header.get("alg"))
            json_key_configs = cls.jwks_public_key_for_key_id(authentication_identifier, key_id)
@ -486,7 +485,7 @@ class AuthenticationService:
    def decode_auth_token(auth_token: str) -> dict[str, str | None]:
        """This is only used for debugging."""
        try:
-            payload: dict[str, str | None] = jwt.decode(auth_token, options={"verify_signature": False})
+            payload: dict[str, str | None] = jwt.decode(auth_token, options={"verify_signature": True})
            return payload
        except jwt.ExpiredSignatureError as exception:
            raise TokenExpiredError(
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
@ -77,6 +77,6 @@ class TestOpenidBlueprint(BaseTest):
        assert "id_token" in response.json
        assert "refresh_token" in response.json

-        decoded_token = jwt.decode(response.json["id_token"], options={"verify_signature": False})
+        decoded_token = jwt.decode(response.json["id_token"], options={"verify_signature": True})
        assert "iss" in decoded_token
        assert "email" in decoded_token