Reputation: 187
Checking for JWT ALG
I'm using flask-jwt-extended library for my authentication, everything works but I want to check if someone sent a manipulated JWT token with ALG = none, since that's a known vulnerable point that's used to deceive the server.
I looked into the documentation but I didn't find which option that let's me check what's being received in alg on all requests.
Thanks.
Upvotes: 0
Views: 195
Answers (1)
Reputation: 4177
Flask-JWT-Extended already handles this for you. It checks each token against the expected algorightm as defined in app.config['JWT_DECODE_ALGORITHMS'] or app.config['JWT_ALGORITHM'] here (https://github.com/vimalloc/flask-jwt-extended/blob/1fec4dc22fe97fd3bf579548079543a8c0b61e3e/flask_jwt_extended/utils.py#L111) precicesly to avoid these kind of attacks.
Upvotes: 1
Related Questions
- How do you check whether user is logged using flask-jwt-extended before logging him in.?
- Flask JWT-extended not recognizing access token, only when GET method is used
- Flask-JWT-Extended - Bad Authorization Header
- Flask JWT : get_jwt_identity() without @jwt_required always return Non
- Authentication with Flask JWT in python
- get_jwt_identity() returning None in Flask-JWT-Extended
- Api with flask-jwt-extended with authentication problems?
- verify_jwt_in_request() returns None when called in custom Flask Decorator
- How can I do custom JWT validation with Flask and flask_jwt_extended?
- Manually validate flask-extended-jwt's access token