fix: don't crash when decoding JWT fails (#398)

rmoesbergen · web-flow · commit f7928b62b564 · 2026-04-23T17:05:31.000+02:00
diff --git a/api/app/main.py b/api/app/main.py
@@ -46,14 +46,20 @@ def get_user(token: Annotated[HTTPAuthorizationCredentials, Depends(security)]):
     openid_configuration = get_openid_configuration()
     jwks_client = get_jwks_client()
 
-    signing_key = jwks_client.get_signing_key_from_jwt(token.credentials)
-    decoded_jwt = jwt.decode(
-        token.credentials,
-        key=signing_key.key,
-        algorithms=openid_configuration["id_token_signing_alg_values_supported"],
-        options={"verify_aud": False},
-    )
-    if not decoded_jwt["media"]:
+    try:
+        signing_key = jwks_client.get_signing_key_from_jwt(token.credentials)
+        decoded_jwt = jwt.decode(
+            token.credentials,
+            key=signing_key.key,
+            algorithms=openid_configuration["id_token_signing_alg_values_supported"],
+            options={"verify_aud": False},
+        )
+    except (jwt.exceptions.PyJWTError, Exception) as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED, detail=f"Invalid token"
+        )
+
+    if not decoded_jwt.get("media"):
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED, detail="Not authorized"
         )
