From 219c767d9aa4712f2be357b035ab07fa24e1fa78 Mon Sep 17 00:00:00 2001
From: hvalfangst <121831102+hvalfangst@users.noreply.github.com>
Date: Fri, 8 Nov 2024 23:51:04 +0100
Subject: [PATCH] Fixed bug in server where multiple space-separated scopes
 were not split into separate scopes rendering the validation process
 impossible

---
 server/security/jwt_utils.py | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/server/security/jwt_utils.py b/server/security/jwt_utils.py
index e76cf6a..99767ee 100644
--- a/server/security/jwt_utils.py
+++ b/server/security/jwt_utils.py
@@ -54,9 +54,20 @@ async def verify_token_signature(token: str = Depends(oauth2_scheme)) -> Decoded
 
         logger.info(f"Token signature successfully verified with public key (kid: {kid})")
 
-        # Ensure `scp` is a list
-        if "scp" in verified_payload and isinstance(verified_payload["scp"], str):
-            verified_payload["scp"] = [verified_payload["scp"]]
+        if "scp" in verified_payload:
+            if isinstance(verified_payload["scp"], str):
+                # Split the `scp` string into a list of scopes if necessary
+                verified_payload["scp"] = verified_payload["scp"].split()
+                logger.info(f"Parsed 'scp' claim into list: {verified_payload['scp']}")
+            elif isinstance(verified_payload["scp"], list):
+                logger.info("Token 'scp' claim is already a list.")
+            else:
+                logger.error(f"Unexpected 'scp' claim format: {type(verified_payload['scp'])}")
+                raise HTTPException(
+                    status_code=status.HTTP_401_UNAUTHORIZED,
+                    detail="Invalid JWT: 'scp' claim format is incorrect",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
 
         return DecodedToken(**verified_payload)