Merge pull request #2550 from IFRCGo/feat/jwt-monty

feat: update token algorithm

Author: szabozoltan69

main/settings.py

@@ -122,6 +122,7 @@
     # Misc
     DISABLE_API_CACHE=(bool, False),
     # jwt private and public key (NOTE: Used algorithm ES256)
+    # FIXME: Deprecated configuration. Remove this and it references
     JWT_PRIVATE_KEY_BASE64_ENCODED=(str, None),
     JWT_PUBLIC_KEY_BASE64_ENCODED=(str, None),
     JWT_PRIVATE_KEY=(str, None),
@@ -849,6 +850,8 @@ def decode_base64(env_key, fallback_env_key):
 AZURE_OPENAI_DEPLOYMENT_NAME = env("AZURE_OPENAI_DEPLOYMENT_NAME")
 
 OIDC_ENABLE = env("OIDC_ENABLE")
+OIDC_RSA_PRIVATE_KEY = None
+OIDC_RSA_PUBLIC_KEY = None
 if OIDC_ENABLE:
     LOGIN_REDIRECT_URL = "go_login"
     LOGOUT_REDIRECT_URL = "go_login"

registrations/migrations/0012_userexternaltoken_is_old_token.py

@@ -0,0 +1,24 @@
+# Generated by Django 4.2.19 on 2025-09-05 05:21
+
+from django.db import migrations, models
+
+
+def set_is_old_token(apps, schema_editor):
+    UserExternalToken = apps.get_model("registrations", "UserExternalToken")
+    UserExternalToken.objects.update(is_old_token=True)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('registrations', '0011_userexternaltoken'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='userexternaltoken',
+            name='is_old_token',
+            field=models.BooleanField(default=False, help_text='Marks whether this is an old Montandon token', verbose_name='is old token?'),
+        ),
+        migrations.RunPython(set_is_old_token, reverse_code=migrations.RunPython.noop),
+    ]

registrations/models.py

@@ -91,6 +91,13 @@ class UserExternalToken(models.Model):
     jti = models.UUIDField(default=uuid.uuid4, editable=False, unique=True, help_text=_("Unique identifier for the token"))
     created_at = models.DateTimeField(verbose_name=_("created at"), auto_now_add=True)
     expire_timestamp = models.DateTimeField(verbose_name=_("expire timestamp"))
+
+    # FIXME: Cleanup old token and remove this field
+    is_old_token = models.BooleanField(
+        verbose_name=_("is old token?"),
+        default=False,
+        help_text=_("Marks whether this is an old Montandon token"),
+    )
     # @Note: Currently not used, but could be utilized for a blacklist feature.
     # is_disabled = models.BooleanField(verbose_name=_('is disabled?'), default=False)
 
@@ -102,4 +109,9 @@ def __str__(self):
         return f'{self.title}-{self.expire_timestamp.strftime("%Y-%m-%d")}'
 
     def get_payload(self) -> dict:
-        return {"jti": str(self.jti), "userId": self.user_id, "exp": self.expire_timestamp, "inMovement": True}
+        return {
+            "jti": str(self.jti),
+            "userId": self.user_id,
+            "exp": self.expire_timestamp,
+            "inMovement": True,
+        }

registrations/serializers.py

@@ -145,10 +145,11 @@ def save(self):
 class UserExternalTokenSerializer(serializers.ModelSerializer):
     token = serializers.CharField(read_only=True)
     expire_timestamp = serializers.DateTimeField(required=False)
+    is_old_token = serializers.BooleanField(read_only=True)
 
     class Meta:
         model = UserExternalToken
-        fields = ["title", "token", "expire_timestamp", "created_at"]
+        fields = ["title", "token", "expire_timestamp", "created_at", "is_old_token"]
 
     def validate_expire_timestamp(self, date):
         now = timezone.now()
@@ -169,7 +170,7 @@ def create(self, validated_data):
             validated_data["expire_timestamp"] = timezone.now() + timedelta(days=settings.JWT_EXPIRE_TIMESTAMP_DAYS)
 
         # Check if private and public key exists
-        if not (settings.JWT_PRIVATE_KEY and settings.JWT_PUBLIC_KEY):
+        if not (settings.OIDC_RSA_PRIVATE_KEY and settings.OIDC_RSA_PUBLIC_KEY):
             raise serializers.ValidationError("Please contact system adminstrators to configurate private and public key.")
         instance = super().create(validated_data)
         validated_data["created_at"] = instance.created_at

registrations/test_views.py

@@ -10,7 +10,7 @@
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.asymmetric import rsa
 from django.contrib.auth.models import User
 from django.test import override_settings
 from rest_framework.test import APITestCase
@@ -175,7 +175,7 @@ class UserExternalTokenTest(GoAPITestCase):
 
     def setUp(self):
         super().setUp()
-        private_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
+        private_key = rsa.generate_private_key(public_exponent=65537, key_size=4096, backend=default_backend())
         public_key = private_key.public_key()
         private_key_pem = private_key.private_bytes(
             encoding=serialization.Encoding.PEM,
@@ -185,11 +185,12 @@ def setUp(self):
 
         # Serialize public key
         public_key_pem = public_key.public_bytes(
-            encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo,
         )
 
-        self.JWT_PRIVATE_KEY = private_key_pem.decode("utf-8")
-        self.JWT_PUBLIC_KEY = public_key_pem.decode("utf-8")
+        self.OIDC_RSA_PRIVATE_KEY = private_key_pem.decode("utf-8")
+        self.OIDC_RSA_PUBLIC_KEY = public_key_pem.decode("utf-8")
 
     def test_external_token_with_key(self):
         self.client.force_authenticate(self.user)
@@ -205,8 +206,8 @@ def test_external_token_with_key(self):
         data = {"title": "ok"}
 
         with override_settings(
-            JWT_PRIVATE_KEY=self.JWT_PRIVATE_KEY,
-            JWT_PUBLIC_KEY=self.JWT_PUBLIC_KEY,
+            OIDC_RSA_PRIVATE_KEY=self.OIDC_RSA_PRIVATE_KEY,
+            OIDC_RSA_PUBLIC_KEY=self.OIDC_RSA_PUBLIC_KEY,
         ):
             response = self.client.post("/api/v2/external-token/", data, format="json")
         self.assertEqual(response.status_code, 201)

registrations/utils.py

@@ -2,6 +2,7 @@
 from django.conf import settings
 from django.contrib.auth.models import User
 from django.db.models.functions import Lower
+from oauth2_provider.utils import jwk_from_pem
 
 from api.models import Country, Profile, UserRegion
 
@@ -47,16 +48,12 @@ def getRegionalAdmins(userId):
 
 
 def jwt_encode_handler(payload):
+    key = jwk_from_pem(settings.OIDC_RSA_PRIVATE_KEY)
     return jwt.encode(
         payload,
-        settings.JWT_PRIVATE_KEY,
-        algorithm="ES256",
-    )
-
-
-def jwt_decode_handler(token):
-    return jwt.decode(
-        token,
-        settings.JWT_PUBLIC_KEY,
-        algorithms=["ES256"],
+        settings.OIDC_RSA_PRIVATE_KEY,
+        headers={
+            "kid": key.thumbprint(),
+        },
+        algorithm="RS256",
     )

registrations/views.py

@@ -152,7 +152,11 @@ class UserExternalTokenViewset(viewsets.ModelViewSet):
     ]
 
     def get_queryset(self):
-        return UserExternalToken.objects.filter(user=self.request.user)
+        return UserExternalToken.objects.filter(
+            user=self.request.user,
+            # NOTE: Hide old token from API
+            is_old_token=False,
+        )
 
     def destroy(self, request, *args, **kwargs):
         return bad_request("Delete method not allowed")