From 20d9345a865338777839e8f02c21cd9d6f5a2cae Mon Sep 17 00:00:00 2001
From: Chris Wesseling <chris@maykinmedia.nl>
Date: Thu, 8 Feb 2024 17:25:10 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Fix=20JWT=20verification?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A JWT has a header field `alg` that specifies the algorithm used in the
signature.

PyJWT checks this with `alg in algorithms`, this "works" because
`"HS256" in "HS256"` is true, but so is `"" in "HS256"` and
`"HS2" in "HS256"`.

Luckily there currently are no PyJWT algorithms like that.
There is no HMAC SHA2, and the Null encryption is named "none" not "".
---
 vng_api_common/middleware.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/vng_api_common/middleware.py b/vng_api_common/middleware.py
index f31db27f..fff05a53 100644
--- a/vng_api_common/middleware.py
+++ b/vng_api_common/middleware.py
@@ -1,7 +1,7 @@
 # https://pyjwt.readthedocs.io/en/latest/usage.html#reading-headers-without-validation
 # -> we can put the organization/service in the headers itself
 import logging
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, Iterable, List, Optional
 
 from django.conf import settings
 from django.db import models, transaction
@@ -28,7 +28,7 @@ def __init__(self, encoded: str = None):
         self.encoded = encoded
 
     @property
-    def applicaties(self) -> Optional[list]:
+    def applicaties(self) -> Iterable[Applicatie]:
         if self.client_id is None:
             return []
 
@@ -138,7 +138,7 @@ def payload(self) -> Optional[Dict[str, Any]]:
                 payload = jwt.decode(
                     self.encoded,
                     key,
-                    algorithms="HS256",
+                    algorithms=["HS256"],
                     leeway=settings.JWT_LEEWAY,
                 )
             except jwt.InvalidSignatureError: