increased security - allow secret to be kept on user model.

Author: jacoor

docs/index.md

@@ -163,6 +163,7 @@ JWT_AUTH = {
     'rest_framework_jwt.utils.jwt_response_payload_handler',
 
     'JWT_SECRET_KEY': settings.SECRET_KEY,
+    'JWT_GET_USER_SECRET_KEY': None,
     'JWT_PUBLIC_KEY': None,
     'JWT_PRIVATE_KEY': None,
     'JWT_ALGORITHM': 'HS256',
@@ -177,6 +178,7 @@ JWT_AUTH = {
     'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),
 
     'JWT_AUTH_HEADER_PREFIX': 'JWT',
+    'JWT_AUTH_USER_MODEL': settings.AUTH_USER_MODEL,
 }
 ```
 This packages uses the JSON Web Token Python implementation, [PyJWT](https://github.com/jpadilla/pyjwt) and allows to modify some of it's available options.
@@ -186,6 +188,12 @@ This is the secret key used to sign the JWT. Make sure this is safe and not shar
 
 Default is your project's `settings.SECRET_KEY`.
 
+### JWT_GET_USER_SECRET_KEY
+This is more robust version of JWT_SECRET_KEY. It is defined per User, so in case token is compromised it can be
+easily changed by owner. Changing this value will make all tokens for given user unusable. Value should be a function, accepting user as only parameter and returning it's secret key.
+
+Default is `None`.
+
 ### JWT_PUBLIC_KEY
 This is an object of type `cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`. It will be used to verify the signature of the incoming JWT. Will override `JWT_SECRET_KEY` when set. Read the [documentation](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey) for more details. Please note that `JWT_ALGORITHM` must be set to one of `RS256`, `RS384`, or `RS512`.
 
@@ -276,6 +284,11 @@ Another common value used for tokens and Authorization headers is `Bearer`.
 
 Default is `JWT`.
 
+### JWT_AUTH_USER_MODEL
+This points the app to default user model. It is used in conjuction with 'JWT_GET_USER_SECRET_KEY'. In most cases default value should be enough.
+
+Default is `settings.AUTH_USER_MODEL`.
+
 ## Extending `JSONWebTokenAuthentication`
 
 Right now `JSONWebTokenAuthentication` assumes that the JWT will come in the header. The JWT spec does not require this (see: [Making a service Call](https://developer.atlassian.com/static/connect/docs/concepts/authentication.html)). For example, the JWT may come in the querystring. The ability to send the JWT in the querystring is needed in cases where the user cannot set the header (for example the src element in HTML).

rest_framework_jwt/settings.py

@@ -32,6 +32,7 @@
     'rest_framework_jwt.utils.jwt_response_payload_handler',
 
     'JWT_SECRET_KEY': settings.SECRET_KEY,
+    'JWT_GET_USER_SECRET_KEY': None,
     'JWT_ALGORITHM': 'HS256',
     'JWT_VERIFY': True,
     'JWT_VERIFY_EXPIRATION': True,
@@ -44,6 +45,7 @@
     'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),
 
     'JWT_AUTH_HEADER_PREFIX': 'JWT',
+    'JWT_AUTH_USER_MODEL': settings.AUTH_USER_MODEL,
 }
 
 # List of settings that may be in string import notation.
@@ -54,6 +56,7 @@
     'JWT_PAYLOAD_GET_USER_ID_HANDLER',
     'JWT_PAYLOAD_GET_USERNAME_HANDLER',
     'JWT_RESPONSE_PAYLOAD_HANDLER',
+    'JWT_GET_USER_SECRET_KEY',
 )
 
 api_settings = APISettings(USER_SETTINGS, DEFAULTS, IMPORT_STRINGS)

rest_framework_jwt/utils.py

@@ -1,13 +1,39 @@
 import jwt
 import uuid
 import warnings
+
+from six import string_types
+
+from django.db.models.loading import get_model
+
 from calendar import timegm
 from datetime import datetime
 
-from rest_framework_jwt.compat import get_username, get_username_field
+from rest_framework_jwt.compat import get_username
+from rest_framework_jwt.compat import get_username_field
 from rest_framework_jwt.settings import api_settings
 
 
+def jwt_get_secret_key(user_id=None):
+    """
+        For enchanced security you may use secret key on user itself.
+        This way you have an option to logout only this user if:
+            - token is compromised
+            - password is changed
+            - etc.
+    """
+    if api_settings.JWT_GET_USER_SECRET_KEY:
+        if isinstance(api_settings.JWT_AUTH_USER_MODEL, string_types):
+            parts = api_settings.JWT_AUTH_USER_MODEL.rsplit('.', 1)
+            Account = get_model(parts[0], parts[1])
+        else:
+            Account = api_settings.JWT_AUTH_USER_MODEL
+        user = Account.objects.get(pk=user_id)
+        key = str(api_settings.JWT_GET_USER_SECRET_KEY(user))
+        return key
+    return api_settings.JWT_SECRET_KEY
+
+
 def jwt_payload_handler(user):
     username_field = get_username_field()
     username = get_username(user)
@@ -66,9 +92,10 @@ def jwt_get_username_from_payload_handler(payload):
 
 
 def jwt_encode_handler(payload):
+    key = api_settings.JWT_PRIVATE_KEY or jwt_get_secret_key(payload.get('user_id'))
     return jwt.encode(
         payload,
-        api_settings.JWT_PRIVATE_KEY or api_settings.JWT_SECRET_KEY,
+        key,
         api_settings.JWT_ALGORITHM
     ).decode('utf-8')
 
@@ -77,10 +104,12 @@ def jwt_decode_handler(token):
     options = {
         'verify_exp': api_settings.JWT_VERIFY_EXPIRATION,
     }
-
+    # get user from token, BEFORE verification, to get user secret key
+    unverified_payload = jwt.decode(token, None, False)
+    secret_key = jwt_get_secret_key(unverified_payload.get('user_id'))
     return jwt.decode(
         token,
-        api_settings.JWT_PUBLIC_KEY or api_settings.JWT_SECRET_KEY,
+        api_settings.JWT_PUBLIC_KEY or secret_key,
         api_settings.JWT_VERIFY,
         options=options,
         leeway=api_settings.JWT_LEEWAY,

tests/models.py

@@ -1,10 +1,16 @@
 import uuid
+
+from django.contrib.auth.models import AbstractBaseUser
+from django.contrib.auth.models import BaseUserManager
 from django.db import models
-from django.contrib.auth.models import AbstractBaseUser, BaseUserManager
 
 
 class CustomUser(AbstractBaseUser):
     email = models.EmailField(max_length=255, unique=True)
+    jwt_secret = models.UUIDField(
+        'Token secret',
+        help_text='Changing this will log out user everywhere',
+        default=uuid.uuid4)
 
     objects = BaseUserManager()
 

tests/test_authentication.py

@@ -1,4 +1,10 @@
 import unittest
+import uuid
+
+from .models import CustomUser
+
+from .utils import get_jwt_secret
+from django.test.utils import override_settings
 
 from django.test import TestCase
 from rest_framework import status
@@ -19,11 +25,13 @@
         # because models have not been initialized.
         oauth2_provider = None
 
-from rest_framework.test import APIRequestFactory, APIClient
+from rest_framework.test import APIClient
+from rest_framework.test import APIRequestFactory
 
 from rest_framework_jwt import utils
 from rest_framework_jwt.compat import get_user_model
-from rest_framework_jwt.settings import api_settings, DEFAULTS
+from rest_framework_jwt.settings import DEFAULTS
+from rest_framework_jwt.settings import api_settings
 
 User = get_user_model()
 
@@ -137,6 +145,38 @@ def test_post_expired_token_failing_jwt_auth(self):
         self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
         self.assertEqual(response['WWW-Authenticate'], 'JWT realm="api"')
 
+    @override_settings(AUTH_USER_MODEL='tests.CustomUser')
+    def test_post_form_failing_jwt_auth_changed_user_secret_key(self):
+        """
+        Ensure changin secret key on USER level makes tokens invalid
+        """
+        # fine tune settings
+        api_settings.JWT_AUTH_USER_MODEL = CustomUser
+        api_settings.JWT_GET_USER_SECRET_KEY = get_jwt_secret
+
+        tmp_user = CustomUser.objects.create(email='[email protected]')
+        payload = utils.jwt_payload_handler(tmp_user)
+        token = utils.jwt_encode_handler(payload)
+
+        auth = 'JWT {0}'.format(token)
+        response = self.csrf_client.post(
+            '/jwt/', {'example': 'example'}, HTTP_AUTHORIZATION=auth, format='json')
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        # change token, verify
+        tmp_user.jwt_secret = uuid.uuid4()
+        tmp_user.save()
+
+        response = self.csrf_client.post(
+            '/jwt/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
+
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+        #revert api settings
+        api_settings.JWT_AUTH_USER_MODEL = DEFAULTS['JWT_AUTH_USER_MODEL']
+        api_settings.JWT_GET_USER_SECRET_KEY = DEFAULTS['JWT_GET_USER_SECRET_KEY']
+
     def test_post_invalid_token_failing_jwt_auth(self):
         """
         Ensure POSTing over JWT auth with invalid token fails

tests/utils.py

@@ -20,3 +20,7 @@ def jwt_response_payload_handler(token, user=None, request=None):
         'user': get_username(user),
         'token': token
     }
+
+
+def get_jwt_secret(user):
+    return user.jwt_secret