From 891112e07d537bf3d7fd84faf704fdb8476fb79a Mon Sep 17 00:00:00 2001
From: lchen-2101 <73617864+lchen-2101@users.noreply.github.com>
Date: Thu, 21 Sep 2023 13:47:11 -0400
Subject: [PATCH] feat: make jwt options configurable

---
 src/.env.local             |  3 ++-
 src/.env.template          |  3 ++-
 src/oauth2/oauth2_admin.py | 29 ++++++++++++++++++++++++-----
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/src/.env.local b/src/.env.local
index ad9cc84..b7512e1 100644
--- a/src/.env.local
+++ b/src/.env.local
@@ -13,4 +13,5 @@ INST_DB_USER=fi
 INST_DB_PWD=fi
 INST_DB_HOST=localhost:5432
 INST_DB_SCHEMA=public
-INST_CONN=postgresql+asyncpg://${INST_DB_USER}:${INST_DB_PWD}@${INST_DB_HOST}/${INST_DB_NAME}
\ No newline at end of file
+INST_CONN=postgresql+asyncpg://${INST_DB_USER}:${INST_DB_PWD}@${INST_DB_HOST}/${INST_DB_NAME}
+JWT_OPTS=verify_at_hash:False,verify_aud:False,verify_iss:False
\ No newline at end of file
diff --git a/src/.env.template b/src/.env.template
index 7ccb51a..366bdec 100644
--- a/src/.env.template
+++ b/src/.env.template
@@ -13,4 +13,5 @@ INST_DB_USER=
 INST_DB_PWD=
 INST_DB_HOST=
 INST_DB_SCHEMA=
-INST_CONN=postgresql+asyncpg://${INST_DB_USER}:${INST_DB_PWD}@${INST_DB_HOST}/${INST_DB_NAME}
\ No newline at end of file
+INST_CONN=postgresql+asyncpg://${INST_DB_USER}:${INST_DB_PWD}@${INST_DB_HOST}/${INST_DB_NAME}
+JWT_OPTS=
\ No newline at end of file
diff --git a/src/oauth2/oauth2_admin.py b/src/oauth2/oauth2_admin.py
index 94fb16e..91d6630 100644
--- a/src/oauth2/oauth2_admin.py
+++ b/src/oauth2/oauth2_admin.py
@@ -1,3 +1,4 @@
+import ast
 from http import HTTPStatus
 import logging
 import os
@@ -12,6 +13,28 @@
 log = logging.getLogger(__name__)
 
 
+def get_jwt_opts(opts_string: str) -> Dict[str, bool | int]:
+    """
+    Parses out the opts_string into JWT options dictionary.
+
+    Args:
+        opts_string (str): comma separated key value pairs in the form of "key1:value1,key2:value2", valid options can be found here:
+        https://github.com/mpdavis/python-jose/blob/4b0701b46a8d00988afcc5168c2b3a1fd60d15d8/jose/jwt.py#L81
+
+    Returns:
+        dict: dictionary of options supported by jwt, mentioned in link above
+    """
+    jwt_opts = {}
+    pairs = opts_string.split(",")
+    for pair in pairs:
+        [key, value] = pair.split(":", 1)
+        jwt_opts[key] = ast.literal_eval(value)
+    return jwt_opts
+
+
+JWT_OPTS = get_jwt_opts(os.getenv("JWT_OPTS", ""))
+
+
 class OAuth2Admin:
     def __init__(self) -> None:
         self._keys = None
@@ -30,11 +53,7 @@ def get_claims(self, token: str) -> Dict[str, str] | None:
                 key=self._get_keys(),
                 issuer=os.getenv("KC_REALM_URL"),
                 audience=os.getenv("AUTH_CLIENT"),
-                options={
-                    "verify_at_hash": False,
-                    "verify_aud": False,
-                    "verify_iss": False,
-                },
+                options=JWT_OPTS,
             )
         except jose.ExpiredSignatureError:
             pass