0x5t4l1n/OpenLearnX
1
0
Fork 0
mirror of https://github.com/th30d4y/OpenLearnX.git synced 2026-05-26 19:26:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix JWT signature verification vulnerability (GHSA-223g-f5mq-gw33)

Browse Source 
- Enable proper JWT signature verification in backend/routes/dashboard.py
- Enable proper JWT signature verification in backend/main.py
- Enable proper JWT signature verification in backend/activity_logger.py
- Replace verify_signature=False with cryptographic verification using JWT_SECRET_KEY
- Prevents JWT forgery attacks and account takeover
This commit is contained in:
Stalin
2026-05-07 16:57:42 +05:30
parent 2f9d94d29d
commit 05f081b205
3 changed files with 58 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/routes/dashboard.py
+19 -8
View File
@@ -25,14 +25,25 @@ def verify_wallet_authentication():
if auth_header.startswith('Bearer '):
try:
token = auth_header.split(' ')[1]
# ✅ FIXED: Add algorithms parameter to fix JWT decode error
decoded = jwt.decode(
token,
options={"verify_signature": False}, # For development
algorithms=["HS256", "RS256"] # This fixes the JWT error
)
user_id = decoded.get('sub') or decoded.get('user_id') or decoded.get('uid') or decoded.get('wallet_address')
wallet_address = decoded.get('wallet_address') or user_id
# ✅ FIXED: Verify JWT signature using JWT_SECRET_KEY
from flask import current_app
jwt_secret = current_app.config.get('JWT_SECRET_KEY') or os.getenv('JWT_SECRET_KEY')
if jwt_secret:
decoded = jwt.decode(
token,
jwt_secret,
algorithms=["HS256", "RS256"]
)
else:
logger.error("JWT_SECRET_KEY not configured")
decoded = None
if decoded:
user_id = decoded.get('sub') or decoded.get('user_id') or decoded.get('uid') or decoded.get('wallet_address')
wallet_address = decoded.get('wallet_address') or user_id
else:
user_id = None
wallet_address = None
if user_id:
logger.info(f"✅ JWT authentication verified: {user_id}")