Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If claims["cognito:groups"] doesn't exist on token but a valid token exists still throw CognitoGroupRequiredError #53

Open
mattcat10 opened this issue Oct 4, 2024 · 0 comments
Open

If claims["cognito:groups"] doesn't exist on token but a valid token exists still throw CognitoGroupRequiredError #53

mattcat10 opened this issue Oct 4, 2024 · 0 comments

Comments

@mattcat10
Copy link

There is a bug in the @auth_required(groups=["admin"], any_group=True) decorator.

When there is a valid session but the user is not added to any groups, the claims["cognito:groups"] property may not exist on the token. The CognitoGroupRequiredError should still be thrown because the token is valid but groups are missing. Currently if the groups are missing from the token, it falls to the catch block due to a null error.

Actual behavior:
AuthorisationRequiredError is thrown when claims["cognito:groups"] does not exist on a valid token

Expected behavior:
When a valid token exists Throw CognitoGroupRequiredError if the user is not in any groups

Proposed Solution:

  def auth_required(groups: Optional[Iterable[str]] = None, any_group: bool = False):
    """A decorator to protect a route with AWS Cognito"""

    def wrapper(fn):
        @wraps(fn)
        def decorator(*args, **kwargs):
            with app.app_context():
                # return early if the extension is disabled
                if cognito_auth.cfg.disabled:
                    return fn(*args, **kwargs)

                # Try and validate the access token stored in the cookie
                try:
                    access_token = request.cookies.get(cognito_auth.cfg.COOKIE_NAME)
                    claims = cognito_auth.verify_access_token(
                        token=access_token,
                        leeway=cognito_auth.cfg.cognito_expiration_leeway,
                    )
                    valid = True

                    # Check for required group membership
                    if groups:
                        if any_group:
                            # add null check here 
                            valid = 'cognito:groups' in session['claims'] and any(g in claims["cognito:groups"] for g in groups)
                        else:
                            # add null check here 
                            valid = 'cognito:groups' in session['claims'] and all(g in claims["cognito:groups"] for g in groups)

                        if not valid:
                            raise CognitoGroupRequiredError

                except (TokenVerifyError, KeyError):
                    valid = False

                if valid:
                    return fn(*args, **kwargs)

                raise AuthorisationRequiredError

        return decorator

    return wrapper
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mattcat10