Sem-Ver: feature Add support to the various frameworks for being able to specify to not check jti uniqueness.

Signed-off-by: David Black <[email protected]>

Author: dbaxa

atlassian_jwt_auth/frameworks/common/backend.py

@@ -42,7 +42,10 @@ class Backend():
         'ASAP_VALID_ISSUERS': None,
 
         # Enforce that the ASAP subject must match the issuer
-        'ASAP_SUBJECT_SHOULD_MATCH_ISSUER': None
+        'ASAP_SUBJECT_SHOULD_MATCH_ISSUER': None,
+
+        # Enforce that tokens have a unique JTI
+        'ASAP_CHECK_JTI_UNIQUENESS': None,
     }
 
     @abstractmethod
@@ -100,6 +103,8 @@ def _get_verifier(self, settings):
         if settings.ASAP_SUBJECT_SHOULD_MATCH_ISSUER is not None:
             kwargs = {'subject_should_match_issuer':
                       settings.ASAP_SUBJECT_SHOULD_MATCH_ISSUER}
+        if settings.ASAP_CHECK_JTI_UNIQUENESS is not None:
+            kwargs['check_jti_uniqueness'] = settings.ASAP_CHECK_JTI_UNIQUENESS
         return JWTAuthVerifier(
             retriever,
             **kwargs

atlassian_jwt_auth/frameworks/django/tests/test_django.py

@@ -104,6 +104,16 @@ def test_request_with_duplicate_jti_is_rejected(self):
         self.check_response('needed', 'duplicate jti', 401,
                             authorization=str_auth)
 
+    def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
+        self.test_settings['ASAP_CHECK_JTI_UNIQUENESS'] = False
+        token = create_token(
+            issuer='client-app', audience='server-app',
+            key_id='client-app/key01', private_key=self._private_key_pem
+        )
+        str_auth = 'Bearer ' + token.decode(encoding='iso-8859-1')
+        self.check_response('needed', 'one', 200, authorization=str_auth)
+        self.check_response('needed', 'one', 200, authorization=str_auth)
+
     def test_request_with_string_headers_is_allowed(self):
         token = create_token(
             issuer='client-app', audience='server-app',

atlassian_jwt_auth/frameworks/flask/tests/test_flask.py

@@ -72,6 +72,15 @@ def test_request_with_duplicate_jti_is_rejected(self):
         self.assertEqual(self.send_request(token).status_code, 200)
         self.assertEqual(self.send_request(token).status_code, 401)
 
+    def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
+        self.app.config['ASAP_CHECK_JTI_UNIQUENESS'] = False
+        token = create_token(
+            'client-app', 'server-app',
+            'client-app/key01', self._private_key_pem
+        )
+        self.assertEqual(self.send_request(token).status_code, 200)
+        self.assertEqual(self.send_request(token).status_code, 200)
+
     def test_request_with_invalid_audience_is_rejected(self):
         token = create_token(
             'client-app', 'invalid-audience',

atlassian_jwt_auth/frameworks/wsgi/tests/test_wsgi.py

@@ -74,6 +74,20 @@ def test_request_with_duplicate_jti_is_rejected(self):
             token=token, application=application)
         self.assertEqual(resp_info['status'], '401 Unauthorized')
 
+    def test_request_with_duplicate_jti_is_accepted_as_per_setting(self):
+        token = create_token(
+            'client-app', 'server-app',
+            'client-app/key01', self._private_key_pem
+        )
+        self.config['ASAP_CHECK_JTI_UNIQUENESS'] = False
+        application = self.get_app_with_middleware(self.config)
+        body, resp_info, environ = self.send_request(
+            token=token, application=application)
+        self.assertEqual(resp_info['status'], '200 OK')
+        body, resp_info, environ = self.send_request(
+            token=token, application=application)
+        self.assertEqual(resp_info['status'], '200 OK')
+
     def test_request_with_invalid_audience_is_rejected(self):
         token = create_token(
             'client-app', 'invalid-audience',