Sem-Ver: api-break Disable jti uniqueness checking by default.

Signed-off-by: David Black <[email protected]>

Author: dbaxa

atlassian_jwt_auth/frameworks/common/backend.py

@@ -45,6 +45,7 @@ class Backend():
         'ASAP_SUBJECT_SHOULD_MATCH_ISSUER': None,
 
         # Enforce that tokens have a unique JTI
+        # Set this to True to enforce JTI uniqueness checking.
         'ASAP_CHECK_JTI_UNIQUENESS': None,
     }
 

atlassian_jwt_auth/frameworks/django/tests/test_django.py

@@ -94,7 +94,8 @@ def check_response(self,
     def test_request_with_valid_token_is_allowed(self):
         self.check_response('needed', 'one', 200)
 
-    def test_request_with_duplicate_jti_is_rejected(self):
+    def test_request_with_duplicate_jti_is_rejected_as_per_setting(self):
+        self.test_settings['ASAP_CHECK_JTI_UNIQUENESS'] = True
         token = create_token(
             issuer='client-app', audience='server-app',
             key_id='client-app/key01', private_key=self._private_key_pem
@@ -104,8 +105,7 @@ def test_request_with_duplicate_jti_is_rejected(self):
         self.check_response('needed', 'duplicate jti', 401,
                             authorization=str_auth)
 
-    def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
-        self.test_settings['ASAP_CHECK_JTI_UNIQUENESS'] = False
+    def _assert_request_with_duplicate_jti_is_accepted(self):
         token = create_token(
             issuer='client-app', audience='server-app',
             key_id='client-app/key01', private_key=self._private_key_pem
@@ -114,6 +114,13 @@ def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
         self.check_response('needed', 'one', 200, authorization=str_auth)
         self.check_response('needed', 'one', 200, authorization=str_auth)
 
+    def test_request_with_duplicate_jti_is_accepted(self):
+        self._assert_request_with_duplicate_jti_is_accepted()
+
+    def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
+        self.test_settings['ASAP_CHECK_JTI_UNIQUENESS'] = False
+        self._assert_request_with_duplicate_jti_is_accepted()
+
     def test_request_with_string_headers_is_allowed(self):
         token = create_token(
             issuer='client-app', audience='server-app',

atlassian_jwt_auth/frameworks/flask/tests/test_flask.py

@@ -64,23 +64,30 @@ def test_request_with_valid_token_is_allowed(self):
         )
         self.assertEqual(self.send_request(token).status_code, 200)
 
-    def test_request_with_duplicate_jti_is_rejected(self):
+    def test_request_with_duplicate_jti_is_rejected_as_per_setting(self):
+        self.app.config['ASAP_CHECK_JTI_UNIQUENESS'] = True
         token = create_token(
             'client-app', 'server-app',
             'client-app/key01', self._private_key_pem
         )
         self.assertEqual(self.send_request(token).status_code, 200)
         self.assertEqual(self.send_request(token).status_code, 401)
 
-    def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
-        self.app.config['ASAP_CHECK_JTI_UNIQUENESS'] = False
+    def _assert_request_with_duplicate_jti_is_accepted(self):
         token = create_token(
             'client-app', 'server-app',
             'client-app/key01', self._private_key_pem
         )
         self.assertEqual(self.send_request(token).status_code, 200)
         self.assertEqual(self.send_request(token).status_code, 200)
 
+    def test_request_with_duplicate_jti_is_accepted(self):
+        self._assert_request_with_duplicate_jti_is_accepted()
+
+    def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
+        self.app.config['ASAP_CHECK_JTI_UNIQUENESS'] = False
+        self._assert_request_with_duplicate_jti_is_accepted()
+
     def test_request_with_invalid_audience_is_rejected(self):
         token = create_token(
             'client-app', 'invalid-audience',

atlassian_jwt_auth/frameworks/wsgi/tests/test_wsgi.py

@@ -61,7 +61,8 @@ def test_request_with_valid_token_is_allowed(self):
         self.assertEqual(resp_info['status'], '200 OK')
         self.assertIn('ATL_ASAP_CLAIMS', environ)
 
-    def test_request_with_duplicate_jti_is_rejected(self):
+    def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
+        self.config['ASAP_CHECK_JTI_UNIQUENESS'] = True
         token = create_token(
             'client-app', 'server-app',
             'client-app/key01', self._private_key_pem
@@ -74,12 +75,11 @@ def test_request_with_duplicate_jti_is_rejected(self):
             token=token, application=application)
         self.assertEqual(resp_info['status'], '401 Unauthorized')
 
-    def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
+    def _assert_request_with_duplicate_jti_is_accepted(self):
         token = create_token(
             'client-app', 'server-app',
             'client-app/key01', self._private_key_pem
         )
-        self.config['ASAP_CHECK_JTI_UNIQUENESS'] = False
         application = self.get_app_with_middleware(self.config)
         body, resp_info, environ = self.send_request(
             token=token, application=application)
@@ -88,6 +88,13 @@ def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
             token=token, application=application)
         self.assertEqual(resp_info['status'], '200 OK')
 
+    def test_request_with_duplicate_jti_is_accepted(self):
+        self._assert_request_with_duplicate_jti_is_accepted()
+
+    def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
+        self.config['ASAP_CHECK_JTI_UNIQUENESS'] = False
+        self._assert_request_with_duplicate_jti_is_accepted()
+
     def test_request_with_invalid_audience_is_rejected(self):
         token = create_token(
             'client-app', 'invalid-audience',

atlassian_jwt_auth/tests/test_verifier.py

@@ -97,7 +97,8 @@ def test_verify_jwt_with_jwt_with_already_seen_jti(self):
         """ tests that verify_jwt rejects a jwt if the jti
             has already been seen.
         """
-        verifier = self._setup_jwt_auth_verifier(self._public_key_pem)
+        verifier = self._setup_jwt_auth_verifier(
+            self._public_key_pem, check_jti_uniqueness=True)
         a_jwt = self._jwt_auth_signer.generate_jwt(
             self._example_aud)
         self.assertIsNotNone(verifier.verify_jwt(
@@ -109,6 +110,12 @@ def test_verify_jwt_with_jwt_with_already_seen_jti(self):
             with self.assertRaisesRegexp(exception, 'has already been used'):
                 verifier.verify_jwt(a_jwt, self._example_aud)
 
+    def assert_jwt_accepted_more_than_once(self, verifier, a_jwt):
+        """ asserts that the given jwt is accepted more than once. """
+        for i in range(0, 3):
+            self.assertIsNotNone(
+                verifier.verify_jwt(a_jwt, self._example_aud))
+
     def test_verify_jwt_with_already_seen_jti_with_uniqueness_disabled(self):
         """ tests that verify_jwt accepts a jwt if the jti
             has already been seen and the verifier has been set
@@ -117,9 +124,16 @@ def test_verify_jwt_with_already_seen_jti_with_uniqueness_disabled(self):
         verifier = self._setup_jwt_auth_verifier(
             self._public_key_pem, check_jti_uniqueness=False)
         a_jwt = self._jwt_auth_signer.generate_jwt(self._example_aud)
-        for i in range(0, 3):
-            self.assertIsNotNone(
-                verifier.verify_jwt(a_jwt, self._example_aud))
+        self.assert_jwt_accepted_more_than_once(verifier, a_jwt)
+
+    def test_verify_jwt_with_already_seen_jti_default(self):
+        """ tests that verify_jwt by default accepts a jwt if the jti
+            has already been seen.
+        """
+        verifier = self._setup_jwt_auth_verifier(
+            self._public_key_pem)
+        a_jwt = self._jwt_auth_signer.generate_jwt(self._example_aud)
+        self.assert_jwt_accepted_more_than_once(verifier, a_jwt)
 
     def test_verify_jwt_subject_should_match_issuer(self):
         verifier = self._setup_jwt_auth_verifier(

atlassian_jwt_auth/verifier.py

@@ -18,7 +18,7 @@ def __init__(self, public_key_retriever, **kwargs):
         self._subject_should_match_issuer = kwargs.get(
             'subject_should_match_issuer', True)
         self._check_jti_uniqueness = kwargs.get(
-            'check_jti_uniqueness', True)
+            'check_jti_uniqueness', False)
 
     def verify_jwt(self, a_jwt, audience, leeway=0, **requests_kwargs):
         """Verify if the token is correct