Remove audience check on app token decode (#355)

* Only verify_aud if not in DEVELOPMENT_MODE * Set DEVELOPMENT_MODE as True on staging * Check that decoding with invalid aud in dev_mode works * Bump to 1.17.2 * Don't verify audience at all * Skip test regarding origin/audience comparison * Revert changes
climatepolicyradar · Sep 25, 2024 · edca2d3 · edca2d3
1 parent f44f60a
commit edca2d3
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 2 deletions.
diff --git a/app/core/custom_app.py b/app/core/custom_app.py
@@ -111,6 +111,7 @@ def decode_config_token(token: str, audience: Optional[str]) -> list[str]:
         algorithms=[security.ALGORITHM],
         issuer=ISSUER,
         audience=audience,
+        options={"verify_aud": False},
     )
     corpora_ids: list = decoded_token.get("allowed_corpora_ids")
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "navigator_backend"
-version = "1.17.1"
+version = "1.17.2"
 description = ""
 authors = ["CPR-dev-team <[email protected]>"]
 packages = [{ include = "app" }, { include = "tests" }]

diff --git a/tests/search/vespa/test_vespa_corpus_filtering.py b/tests/search/vespa/test_vespa_corpus_filtering.py
@@ -126,6 +126,7 @@ def test_search_decoding_token_raises_PyJWTError(
         assert response["detail"] == "Could not decode configuration token"
 
 
+@pytest.mark.skip("Re-implement this as part of PDCT-1509")
 @pytest.mark.search
 def test_search_decoding_token_with_none_origin_passed_to_audience(
     data_client,

diff --git a/tests/unit/app/core/custom_app/test_decode_configuration_token.py b/tests/unit/app/core/custom_app/test_decode_configuration_token.py
@@ -14,6 +14,7 @@ def test_decoding_expired_token_raise_expired_signature_token_error(expired_toke
     assert str(error.value) == "Signature has expired"
 
 
+@pytest.mark.skip("Re-implement this as part of PDCT-1509")
 @pytest.mark.parametrize(
     "input_str, aud, error_msg",
     [
@@ -30,7 +31,7 @@ def test_decoding_expired_token_raise_expired_signature_token_error(expired_toke
         ),
     ],
 )
-def test_decoding_token_with_invalid_aud_raises_expired_signature_token_error(
+def test_decoding_token_with_invalid_aud_raises_invalid_token_error(
     input_str: str, aud: Optional[str], error_msg: str
 ):
     token = create_configuration_token(input_str)
@@ -40,6 +41,25 @@ def test_decoding_token_with_invalid_aud_raises_expired_signature_token_error(
     assert str(error.value) == error_msg
 
 
+@pytest.mark.parametrize(
+    "input_str, aud",
+    [
+        ("mango,apple;subject;https://audience.com", None),
+        ("mango,apple;subject;https://audience.com", "https://audience.org"),
+        ("mango,apple;subject;https://AUDIENCE.OrG", "https://AUDIENCE.Com"),
+    ],
+)
+def test_decoding_token_with_invalid_aud_success_in_dev_mode(
+    input_str: str, aud: Optional[str]
+):
+    token = create_configuration_token(input_str)
+    decoded_corpora_ids = decode_config_token(token, aud)
+    assert len(decoded_corpora_ids) > 0
+
+    expected_num_corpora = 2
+    assert len(decoded_corpora_ids) == expected_num_corpora
+
+
 def test_decode_configuration_token_success(valid_token):
     decoded_corpora_ids = decode_config_token(valid_token, VALID_AUDIENCE)
     assert len(decoded_corpora_ids) > 0