Add regular expression to check JWT bearer token form and sad path test.

Author: dzleidig

test/config_test.py

@@ -174,7 +174,7 @@ def test_signing(self):
     def test_bearer_token(self):
         """Verify that the authorization header is set when a bearer token is provided"""
 
-        bearer_token = "Bearer myBearerToken"
+        bearer_token = "Bearer eyJraWQiOiJWcmVsOE9zZ0JXaUpHeEpMeFJ4bE1UaVwvbjgyc1hwWktUaTd2UExUNFQ0TT0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJoMTBlM2hwajliNjc4bXMwOG8zbGlibHQ2IiwidG9rZW5fdXNlIjoiYWNjZXNzIiwic2NvcGUiOiJ3ZWJcL2dldCB3ZWJcL3Bvc3QiLCJhdXRoX3RpbWUiOjE1OTM3MjM1NDgsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbVwvdXMtZWFzdC0xX1d6aEZzTGlPRyIsImV4cCI6MTU5MzcyNzE0OCwiaWF0IjoxNTkzNzIzNTQ4LCJ2ZXJzaW9uIjoyLCJqdGkiOiI4Njk5ZDEwYy05Mjg4LTQ0YmEtODIxNi01OTJjZGU3MDBhY2MiLCJjbGllbnRfaWQiOiJoMTBlM2hwajliNjc4bXMwOG8zbGlibHQ2In0.YA_yiD-x6UuBMShprUbUKuB_DO6ogCtd5srfgpJA6Ve_qsf8n19nVMmFsZBy3GxzN92P1ZXiFY99FfNPohhQtaRRhpeUkir08hgJN2bEHCJ5Ym8r9mr9mlwSG6FoiedgLaUVGwJujD9c2rcA83NEo8ayTyfCynF2AZ2pMxLHvqOYtvscGMiMzIwlZfJV301iKUVgPODJM5lpJ4iKCpOy2ByCl2_KL1uxIxgMkglpB-i7kgJc-WmYoJFoN88D89ugnEoAxNfK14N4_RyEkrLNGape9kew79nUeR6fWbVFLiGDDu25_9z-7VB-GGGk7L_Hb7YgVJ5W2FwESnkDvV1T4Q"
 
         with tempfile.NamedTemporaryFile() as config_file, tempfile.NamedTemporaryFile() as key_file:
             with open(config_file.name, "w") as f:
@@ -202,3 +202,29 @@ def test_bearer_token(self):
         authorization_header_value = prepared_get.headers["authorization"]
         self.assertEqual(authorization_header_value, bearer_token)
         self.assertNotIn("x-user-token", prepared_get.headers)
+
+    def test_malformed_bearer_token(self):
+        """Verify that an exception is thrown when a malformed JWT bearer token is provided"""
+
+        bearer_token = "Bearer myBigBadBearerToken"
+
+        with tempfile.NamedTemporaryFile() as config_file, tempfile.NamedTemporaryFile() as key_file:
+            with open(config_file.name, "w") as f:
+                json.dump(
+                    {
+                        "email": "[email protected]",
+                        "token": bearer_token,
+                        "organization_id": "transcriptic",
+                        "api_root": "http://foo:5555",
+                        "analytics": True,
+                        "user_id": "ufoo2",
+                        "feature_groups": [
+                            "can_submit_autoprotocol",
+                            "can_upload_packages",
+                        ],
+                    },
+                    f,
+                )
+
+            with self.assertRaisesRegexp(ValueError, "Malformed JWT Bearer Token"):
+                transcriptic.config.Connection.from_file(config_file.name)

transcriptic/config.py

@@ -12,6 +12,7 @@
 
 from . import routes
 from .signing import StrateosSign
+from .util import is_valid_jwt_token
 from .version import __version__
 
 try:
@@ -252,9 +253,12 @@ def token(self, value: str):
             self.update_headers(**{"Cookie": None})
 
         if value is not None:
-            is_bearer_token = value.startswith("Bearer")
-            if is_bearer_token:
-                self.update_headers(**{"Authorization": value})
+            is_bearer_auth = value.startswith("Bearer")
+            if is_bearer_auth:
+                if is_valid_jwt_token(value):
+                    self.update_headers(**{"Authorization": value})
+                else:
+                    raise ValueError("Malformed JWT Bearer Token")
             else:
                 self.update_headers(**{"X-User-Token": value})
 

transcriptic/util.py

@@ -92,3 +92,8 @@ def makedirs(name, mode=None, exist_ok=False):
 
     mode = mode if mode is not None else 0o777
     makedirs(name, mode, exist_ok)
+
+
+def is_valid_jwt_token(token: str):
+    regex = r"Bearer ([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_\-\+\/=]*)"
+    return re.fullmatch(regex, token) is not None