Skip to content

Commit

Permalink
Merge pull request #71 from abbastoof/fix/071-fix-security-issue-in-b…
Browse files Browse the repository at this point in the history
…ackend

fixed security issue in token-service where user-service in login nee…
  • Loading branch information
abbastoof authored Aug 16, 2024
2 parents 5830e41 + 782ea12 commit 30e8f34
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 11 deletions.
18 changes: 9 additions & 9 deletions Backend/token_service/token_service/token_app/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,9 @@
from .models import UserTokens
import jwt
from rest_framework.permissions import AllowAny
from dotenv import load_dotenv
import os
from django.conf import settings

load_dotenv()
SECRET = os.environ.get('DJANGO_SECRET')
SECRET = settings.SECRET_KEY

logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
Expand Down Expand Up @@ -46,7 +44,12 @@ def post(self, request, *args, **kwargs) -> Response:
Response: The response object containing the token details.
"""
secret_key = request.headers.get('X-SERVICE-SECRET')
if secret_key == SECRET:
response_message = {}
if secret_key is None:
response_message = {"error": "Unauthorized request"}
logger.info('Invalid secret keys = %s', response_message)
status_code = status.HTTP_401_UNAUTHORIZED
else:
response_message = {}
status_code = status.HTTP_201_CREATED
id = request.data.get("id")
Expand Down Expand Up @@ -93,10 +96,7 @@ def post(self, request, *args, **kwargs) -> Response:
except Exception as err:
response_message = {"error": str(err)}
status_code = status.HTTP_500_INTERNAL_SERVER_ERROR
else:
logger.info('Invalid secret keys = %s', response_message)
response_message = {"error": "Unauthorized request"}
status_code = status.HTTP_401_UNAUTHORIZED

logger.info('response_message = %s', response_message)
return Response(response_message, status=status_code)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@
load_dotenv()
TOEKNSERVICE = os.environ.get('TOKEN_SERVICE')

headers = {
"X-SERVICE-SECRET": settings.SECRET_KEY # Replace with your actual secret key
}

logger = logging.getLogger(__name__)

def generate_password():
Expand Down Expand Up @@ -69,12 +73,13 @@ def login(self, request):
status_code = status.HTTP_200_OK
else:
data = {"id": serializer.data["id"], "username": serializer.data["username"]}
response = requests.post(f"{TOEKNSERVICE}/auth/token/gen-tokens/", data=data)
response = requests.post(f"{TOEKNSERVICE}/auth/token/gen-tokens/", data=data, headers=headers)
if response.status_code == 201:
response_message = response.json()
logger.info('user_data = %s', response_message)
logger.info('user_data = %s', response.json())
if "error" in response_message:
status_code = response_message.get("status_code")
response_message = response.json()
else:
status_code = status.HTTP_200_OK
else:
Expand Down

0 comments on commit 30e8f34

Please sign in to comment.