You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a bug in the @auth_required(groups=["admin"], any_group=True) decorator.
When there is a valid session but the user is not added to any groups, the claims["cognito:groups"] property may not exist on the token. The CognitoGroupRequiredError should still be thrown because the token is valid but groups are missing. Currently if the groups are missing from the token, it falls to the catch block due to a null error.
Actual behavior:
AuthorisationRequiredError is thrown when claims["cognito:groups"] does not exist on a valid token
Expected behavior:
When a valid token exists Throw CognitoGroupRequiredError if the user is not in any groups
Proposed Solution:
def auth_required(groups: Optional[Iterable[str]] = None, any_group: bool = False):
"""A decorator to protect a route with AWS Cognito"""
def wrapper(fn):
@wraps(fn)
def decorator(*args, **kwargs):
with app.app_context():
# return early if the extension is disabled
if cognito_auth.cfg.disabled:
return fn(*args, **kwargs)
# Try and validate the access token stored in the cookie
try:
access_token = request.cookies.get(cognito_auth.cfg.COOKIE_NAME)
claims = cognito_auth.verify_access_token(
token=access_token,
leeway=cognito_auth.cfg.cognito_expiration_leeway,
)
valid = True
# Check for required group membership
if groups:
if any_group:
# add null check here
valid = 'cognito:groups' in session['claims'] and any(g in claims["cognito:groups"] for g in groups)
else:
# add null check here
valid = 'cognito:groups' in session['claims'] and all(g in claims["cognito:groups"] for g in groups)
if not valid:
raise CognitoGroupRequiredError
except (TokenVerifyError, KeyError):
valid = False
if valid:
return fn(*args, **kwargs)
raise AuthorisationRequiredError
return decorator
return wrapper
The text was updated successfully, but these errors were encountered:
There is a bug in the
@auth_required(groups=["admin"], any_group=True)
decorator.When there is a valid session but the user is not added to any groups, the
claims["cognito:groups"]
property may not exist on the token. The CognitoGroupRequiredError should still be thrown because the token is valid but groups are missing. Currently if the groups are missing from the token, it falls to the catch block due to a null error.Actual behavior:
AuthorisationRequiredError is thrown when
claims["cognito:groups"]
does not exist on a valid tokenExpected behavior:
When a valid token exists Throw CognitoGroupRequiredError if the user is not in any groups
Proposed Solution:
The text was updated successfully, but these errors were encountered: