ISSUE_NUMBER: GH-16
Description
The checkAuth function in middleware/checkAuth.py prioritizes the JWT token from the cookie over the Authorization header. This behavior might be unintentional and could lead to security issues.
File: repositories/jobflowapi/middleware/checkAuth.py
Line: 13
Severity: medium
Current Behavior
The code retrieves the token from request.cookies.get('token') or request.headers.get('Authorization'). This means that if both the cookie and the header contain a token, the cookie token will be used.
Expected Behavior
The code should either prioritize the Authorization header or provide a mechanism to configure the preferred token source.
Suggested Fix
Modify the code to prioritize the Authorization header or provide a configuration option to select the preferred token source.
Code Context
token = request.cookies.get('token') or request.headers.get('Authorization')Additional Notes
This could allow an attacker to inject a malicious cookie and bypass authentication.
ISSUE_NUMBER: GH-16
Description
The
checkAuthfunction inmiddleware/checkAuth.pyprioritizes the JWT token from the cookie over theAuthorizationheader. This behavior might be unintentional and could lead to security issues.File:
repositories/jobflowapi/middleware/checkAuth.pyLine: 13
Severity: medium
Current Behavior
The code retrieves the token from
request.cookies.get('token') or request.headers.get('Authorization'). This means that if both the cookie and the header contain a token, the cookie token will be used.Expected Behavior
The code should either prioritize the
Authorizationheader or provide a mechanism to configure the preferred token source.Suggested Fix
Modify the code to prioritize the
Authorizationheader or provide a configuration option to select the preferred token source.Code Context
Additional Notes
This could allow an attacker to inject a malicious cookie and bypass authentication.