fix: revent potential 500s: guard compare_digest() against non-str/bytes in typ & sub

seapagan · seapagan · commit 5cc9d6700b72 · 2026-01-09T11:41:59.000Z
Signed-off-by: Grant Ramsay &lt;seapagan@gmail.com&gt;
diff --git a/app/managers/auth.py b/app/managers/auth.py
@@ -192,15 +192,18 @@ async def refresh(
 
             # Use constant-time comparison to prevent timing attacks
             token_type = payload.get("typ")
-            if token_type is None or not secrets.compare_digest(
+            if not isinstance(token_type, str) or not secrets.compare_digest(
                 token_type, "refresh"
             ):
                 raise HTTPException(
                     status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
                 )
 
             user_id = payload.get("sub")
-            if user_id is None:
+            # Accept int-like strings but reject weird types early
+            if isinstance(user_id, str) and user_id.isdigit():
+                user_id = int(user_id)
+            if not isinstance(user_id, int):
                 raise HTTPException(
                     status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
                 )
@@ -267,21 +270,24 @@ async def verify(code: str, session: AsyncSession) -> None:
                 options={"verify_sub": False},
             )
 
-            user_id = payload.get("sub")
-            if user_id is None:
-                raise HTTPException(
-                    status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
-                )
-
             # Use constant-time comparison to prevent timing attacks
             token_type = payload.get("typ")
-            if token_type is None or not secrets.compare_digest(
+            if not isinstance(token_type, str) or not secrets.compare_digest(
                 token_type, "verify"
             ):
                 raise HTTPException(
                     status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
                 )
 
+            user_id = payload.get("sub")
+            # Accept int-like strings but reject weird types early
+            if isinstance(user_id, str) and user_id.isdigit():
+                user_id = int(user_id)
+            if not isinstance(user_id, int):
+                raise HTTPException(
+                    status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
+                )
+
             user_data = await session.get(User, user_id)
 
             if not user_data:
@@ -402,21 +408,24 @@ async def reset_password(
                 options={"verify_sub": False},
             )
 
-            user_id = payload.get("sub")
-            if user_id is None:
-                raise HTTPException(
-                    status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
-                )
-
             # Use constant-time comparison to prevent timing attacks
             token_type = payload.get("typ")
-            if token_type is None or not secrets.compare_digest(
+            if not isinstance(token_type, str) or not secrets.compare_digest(
                 token_type, "reset"
             ):
                 raise HTTPException(
                     status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
                 )
 
+            user_id = payload.get("sub")
+            # Accept int-like strings but reject weird types early
+            if isinstance(user_id, str) and user_id.isdigit():
+                user_id = int(user_id)
+            if not isinstance(user_id, int):
+                raise HTTPException(
+                    status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
+                )
+
             user_data = await session.get(User, user_id)
 
             if not user_data:
