cardosofelipe/syndarix
1
0
Fork 0
forked from cardosofelipe/pragma-stack
Code Issues 18 Pull Requests Wiki Activity
Files
a3f78dc8014a3e948b702b6a87eeb6d3e3377612
syndarix/backend/tests/core/test_auth_security.py
Felipe Cardoso 4385d20ca6 fix(tests): simplify invalid token test logic in test_auth_security.py 
- Removed unnecessary try-except block for JWT encoding failures.
- Adjusted test to directly verify `TokenInvalidError` during decoding.
- Clarified comment on HMAC algorithm compatibility (`HS384` vs. `HS256`).
2026-03-01 14:24:17 +01:00

245 lines
8.3 KiB
Python
Raw Blame History

"""
Security tests for authentication module (app/core/auth.py).
Critical security tests covering:
- JWT algorithm confusion attacks (CVE-2015-9235)
- Algorithm substitution attacks
- Token validation security
These tests cover critical security vulnerabilities that could be exploited.
"""
import jwt
import pytest
from app.core.auth import TokenInvalidError, create_access_token, decode_token
from app.core.config import settings
class TestJWTAlgorithmSecurityAttacks:
"""
Test JWT algorithm confusion attacks.
CVE-2015-9235: Critical vulnerability where attackers can bypass JWT signature
verification by using "alg: none" or substituting algorithms.
References:
- https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9235
Covers lines: auth.py:209, auth.py:212
"""
def test_reject_algorithm_none_attack(self):
"""
Test that tokens with "alg: none" are rejected.
Attack Scenario:
Attacker creates a token with "alg: none" to bypass signature verification.
NOTE: Lines 209 and 212 in auth.py are DEFENSIVE CODE that's never reached
because PyJWT rejects "none" algorithm tokens BEFORE we get there.
This is good for security! The library throws InvalidTokenError which becomes TokenInvalidError.
This test verifies the overall protection works, even though our defensive
checks at lines 209-212 don't execute because the library catches it first.
"""
# Create a payload that would normally be valid (using timestamps)
import time
now = int(time.time())
payload = {
"sub": "user123",
"exp": now + 3600, # 1 hour from now
"iat": now,
"type": "access",
}
# Craft a malicious token with "alg: none"
# We manually encode to bypass library protections
import base64
import json
header = {"alg": "none", "typ": "JWT"}
header_encoded = (
base64.urlsafe_b64encode(json.dumps(header).encode()).decode().rstrip("=")
)
payload_encoded = (
base64.urlsafe_b64encode(json.dumps(payload).encode()).decode().rstrip("=")
)
# Token with no signature (algorithm "none")
malicious_token = f"{header_encoded}.{payload_encoded}."
# Should reject the token (library catches it, which is good!)
with pytest.raises(TokenInvalidError):
decode_token(malicious_token)
def test_reject_algorithm_none_lowercase(self):
"""
Test that tokens with "alg: NONE" (uppercase) are also rejected.
"""
import base64
import json
import time
now = int(time.time())
payload = {"sub": "user123", "exp": now + 3600, "iat": now, "type": "access"}
# Try uppercase "NONE"
header = {"alg": "NONE", "typ": "JWT"}
header_encoded = (
base64.urlsafe_b64encode(json.dumps(header).encode()).decode().rstrip("=")
)
payload_encoded = (
base64.urlsafe_b64encode(json.dumps(payload).encode()).decode().rstrip("=")
)
malicious_token = f"{header_encoded}.{payload_encoded}."
with pytest.raises(TokenInvalidError):
decode_token(malicious_token)
def test_reject_algorithm_substitution_hs256_to_rs256(self):
"""
Test that tokens with wrong algorithm are rejected.
Attack Scenario:
Attacker changes the "alg" header to RS256 while keeping an HMAC
signature, attempting algorithm confusion to forge tokens.
Reference: https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2019/january/jwt-algorithm-confusion/
"""
import base64
import json
import time
now = int(time.time())
payload = {"sub": "user123", "exp": now + 3600, "iat": now, "type": "access"}
# Hand-craft a token claiming RS256 in the header — PyJWT cannot encode
# RS256 with an HMAC key, so we craft the header manually (same technique
# as the "alg: none" tests) to produce a token that actually reaches decode_token.
header = {"alg": "RS256", "typ": "JWT"}
header_encoded = (
base64.urlsafe_b64encode(json.dumps(header).encode()).decode().rstrip("=")
)
payload_encoded = (
base64.urlsafe_b64encode(json.dumps(payload).encode()).decode().rstrip("=")
)
# Attach a fake signature to form a complete (but invalid) JWT
malicious_token = f"{header_encoded}.{payload_encoded}.fakesignature"
with pytest.raises(TokenInvalidError):
decode_token(malicious_token)
def test_reject_hs384_when_hs256_expected(self):
"""
Test that HS384 tokens are rejected when HS256 is configured.
Prevents algorithm downgrade/upgrade attacks.
"""
import time
now = int(time.time())
payload = {"sub": "user123", "exp": now + 3600, "iat": now, "type": "access"}
# Create token with HS384 instead of HS256 (HMAC key works with HS384)
malicious_token = jwt.encode(payload, settings.SECRET_KEY, algorithm="HS384")
with pytest.raises(TokenInvalidError):
decode_token(malicious_token)
def test_valid_token_with_correct_algorithm_accepted(self):
"""
Sanity check: Valid tokens with correct algorithm should still work.
Ensures our security checks don't break legitimate tokens.
"""
# Create a valid access token using the app's own function
token = create_access_token(subject="user123")
# Should decode successfully
token_data = decode_token(token)
assert token_data.sub == "user123" # TokenPayload uses 'sub', not 'user_id'
assert token_data.type == "access"
def test_algorithm_case_sensitivity(self):
"""
Test that algorithm matching is case-insensitive (uppercase check in code).
The code uses .upper() for comparison, ensuring "hs256" matches "HS256".
"""
# Create a valid token
token = create_access_token(subject="user123")
# Should work regardless of case in settings
# (This is a sanity check that our comparison logic handles case)
token_data = decode_token(token)
assert token_data.sub == "user123" # TokenPayload uses 'sub', not 'user_id'
class TestJWTSecurityEdgeCases:
"""Additional JWT security edge cases."""
def test_token_with_missing_algorithm_header(self):
"""
Test handling of malformed token without algorithm header.
"""
import base64
import json
import time
now = int(time.time())
# Create token without "alg" in header
header = {"typ": "JWT"} # Missing "alg"
payload = {"sub": "user123", "exp": now + 3600, "iat": now, "type": "access"}
header_encoded = (
base64.urlsafe_b64encode(json.dumps(header).encode()).decode().rstrip("=")
)
payload_encoded = (
base64.urlsafe_b64encode(json.dumps(payload).encode()).decode().rstrip("=")
)
malicious_token = f"{header_encoded}.{payload_encoded}.fake_signature"
# Should reject due to missing or invalid algorithm
with pytest.raises(TokenInvalidError):
decode_token(malicious_token)
def test_completely_malformed_token(self):
"""Test that completely malformed tokens are rejected."""
with pytest.raises(TokenInvalidError):
decode_token("not.a.valid.jwt.token.at.all")
def test_token_with_invalid_json_payload(self):
"""Test token with malformed JSON in payload."""
import base64
header_encoded = (
base64.urlsafe_b64encode(b'{"alg":"HS256","typ":"JWT"}')
.decode()
.rstrip("=")
)
# Invalid JSON (missing closing brace)
invalid_payload_encoded = (
base64.urlsafe_b64encode(
b'{"sub":"user123"' # Invalid JSON
)
.decode()
.rstrip("=")
)
malicious_token = f"{header_encoded}.{invalid_payload_encoded}.fake_sig"
with pytest.raises(TokenInvalidError):
decode_token(malicious_token)
Reference in New Issue View Git Blame Copy Permalink