From dc3e45268a149f75740e7ca7d3962f74323b5d53 Mon Sep 17 00:00:00 2001
From: Matti Eiden <matti.eiden@anders.com>
Date: Sun, 19 May 2024 10:15:47 +0300
Subject: [PATCH] feat: define new setting ALLOWED_ALGORITHMS

It defaults to ["RS256"] and the goal is to mitigate CVE-2024-33663
even though vulnerability does not seem to exist in the context of
tunnistamo or tunnistus (ECDSA is not used by either issuer).
---
 CHANGELOG.md         | 5 +++++
 README.md            | 4 ++++
 helusers/jwt.py      | 7 ++++++-
 helusers/settings.py | 1 +
 setup.py             | 2 +-
 5 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e5daf6d..d80ff12 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 0.12.0 - 2024-05-20
+
+### Changed
+
+- Add new setting `ALLOWED_ALGORITHMS` with a default value of `["RS256"]`
 
 ## 0.11.0 - 2024-03-15
 
diff --git a/README.md b/README.md
index e1a13d3..2c969a1 100644
--- a/README.md
+++ b/README.md
@@ -159,6 +159,10 @@ OIDC_API_TOKEN_AUTH = {
     # authorization server configuration and public keys are "remembered".
     # The value is in seconds. Default is 24 hours.
     "OIDC_CONFIG_EXPIRATION_TIME": 600,
+    
+    # Allow only algorithms that we actually use. In case of tunnistamo and
+    # tunnistus only RS256 is used with API access tokens. 
+    "ALLOWED_ALGORITHMS": ["RS256"],
 }
 ```
 
diff --git a/helusers/jwt.py b/helusers/jwt.py
index ef3dbe6..979ca1d 100644
--- a/helusers/jwt.py
+++ b/helusers/jwt.py
@@ -50,7 +50,12 @@ def validate(self, keys, audience, required_claims=_NOT_PROVIDED):
         for required_claim in required_claims:
             options[f"require_{required_claim}"] = True
 
-        jwt.decode(self._encoded_jwt, keys, options=options)
+        jwt.decode(
+            self._encoded_jwt,
+            keys,
+            algorithms=self.settings.ALLOWED_ALGORITHMS,
+            options=options,
+        )
 
         claims = self.claims
         if require_aud and "aud" not in claims:
diff --git a/helusers/settings.py b/helusers/settings.py
index 93401a0..d2aed75 100644
--- a/helusers/settings.py
+++ b/helusers/settings.py
@@ -11,6 +11,7 @@
     AUTH_SCHEME="Bearer",
     USER_RESOLVER="helusers.oidc.resolve_user",
     OIDC_CONFIG_EXPIRATION_TIME=24 * 60 * 60,
+    ALLOWED_ALGORITHMS=["RS256"],
 )
 
 _import_strings = [
diff --git a/setup.py b/setup.py
index 14c08c2..00bcc75 100644
--- a/setup.py
+++ b/setup.py
@@ -10,7 +10,7 @@
 
 setup(
     name="django-helusers",
-    version="0.11.0",
+    version="0.12.0",
     packages=["helusers"],
     include_package_data=True,
     license="BSD License",