Merge pull request #543 from Robin-Van-de-Merghel/robin-fix-verify-token

aldbr · web-flow · commit a1e542c97ab1 · 2025-05-15T16:12:17.000+02:00
[BUG] fix: Fixed verify_token error
diff --git a/diracx-routers/src/diracx/routers/utils/users.py b/diracx-routers/src/diracx/routers/utils/users.py
@@ -6,6 +6,7 @@
 
 from fastapi import Depends, HTTPException, status
 from fastapi.security import OpenIdConnect
+from joserfc.errors import JoseError
 from joserfc.jwt import JWTClaimsRegistry
 from pydantic import BaseModel, GetCoreSchemaHandler, GetJsonSchemaHandler
 from pydantic_core import CoreSchema, core_schema
@@ -97,7 +98,7 @@ async def verify_dirac_access_token(
                 iss={"essential": True, "value": settings.token_issuer},
             ),
         )
-    except ValueError as e:
+    except (ValueError, JoseError) as e:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Invalid JWT",
diff --git a/diracx-routers/tests/auth/test_standard.py b/diracx-routers/tests/auth/test_standard.py
@@ -594,6 +594,40 @@ async def test_refresh_token_expired(
     assert data["detail"] == "Invalid JWT: expired_token: The token is expired"
 
 
+async def test_access_token_expired(
+    test_client, test_auth_settings: AuthSettings, auth_httpx_mock: HTTPXMock
+):
+    """Test the expiration date of the passed access token.
+    - get an access token
+    - decode it and change the expiration time
+    - recode it (with the JWK of the server).
+    """
+    # Get access token
+    initial_access_token = _get_tokens(test_client)["access_token"]
+
+    # Decode it
+    access_payload = jwt.decode(
+        initial_access_token, options={"verify_signature": False}
+    )
+
+    # Modify the expiration time (utc now - 5 hours)
+    access_payload["exp"] = int(
+        (datetime.now(tz=timezone.utc) - timedelta(hours=5)).timestamp()
+    )
+
+    # Encode it differently
+    new_access_token = create_token(access_payload, test_auth_settings)
+
+    headers = {"Authorization": f"Bearer {new_access_token}"}
+
+    # Try to get the userinfo using the invalid access token
+    # The server should detect that it is not encoded properly
+    r = test_client.get("/api/auth/userinfo", headers=headers)
+    data = r.json()
+    assert r.status_code == 401, data
+    assert data["detail"] == "Invalid JWT"
+
+
 async def test_refresh_token_rotated_expiration_time(
     test_client, test_auth_settings: AuthSettings, auth_httpx_mock: HTTPXMock
 ):
