Enhance session token validation by adding support for InvalidAlgorithmError and updating error handling for token decoding. Update tests to cover disallowed algorithms.

Dopeamin · Dopeamin · commit 3ce3ef2800bb · 2025-06-11T14:31:44.000+02:00
diff --git a/src/corbado_python_sdk/services/implementation/session_service.py b/src/corbado_python_sdk/services/implementation/session_service.py
@@ -3,6 +3,7 @@
     ExpiredSignatureError,
     ImmatureSignatureError,
     InvalidSignatureError,
+    InvalidAlgorithmError,
     decode,
 )
 from jwt.jwks_client import PyJWKClient
@@ -16,6 +17,7 @@
 )
 
 DEFAULT_SESSION_TOKEN_LENGTH = 300
+ALLOWED_ALGS = {"RS256"}
 
 
 class SessionService(BaseModel):
@@ -90,7 +92,7 @@ def validate_token(self, session_token: StrictStr) -> UserEntity:
 
         # decode short session (jwt) with signing key
         try:
-            payload = decode(jwt=session_token, key=signing_key.key, algorithms=["RS256"])
+            payload = decode(jwt=session_token, key=signing_key.key, algorithms=list(ALLOWED_ALGS))
 
             # extract information from decoded payload
             token_issuer: str = payload.get("iss")
@@ -104,15 +106,21 @@ def validate_token(self, session_token: StrictStr) -> UserEntity:
             )
         except ExpiredSignatureError as error:
             raise TokenValidationException(
-                error_type=ValidationErrorType.CODE_JWT_INVALID_SIGNATURE,
-                message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_INVALID_SIGNATURE.value}",
+                error_type=ValidationErrorType.CODE_JWT_EXPIRED,
+                message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_EXPIRED.value}",
                 original_exception=error,
             )
 
         except InvalidSignatureError as error:
             raise TokenValidationException(
-                error_type=ValidationErrorType.CODE_JWT_EXPIRED,
-                message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_EXPIRED.value}",
+                error_type=ValidationErrorType.CODE_JWT_INVALID_SIGNATURE,
+                message=f"Error occured during token decode: {session_token}. {ValidationErrorType.CODE_JWT_INVALID_SIGNATURE.value}",
+                original_exception=error,
+            )
+        except InvalidAlgorithmError as error:
+            raise TokenValidationException(
+                error_type=ValidationErrorType.CODE_JWT_INVALID_SIGNATURE,
+                message="Algorithm not allowed",
                 original_exception=error,
             )
 
diff --git a/tests/unit/test_session_service.py b/tests/unit/test_session_service.py
@@ -9,6 +9,7 @@
     ExpiredSignatureError,
     ImmatureSignatureError,
     InvalidSignatureError,
+    InvalidAlgorithmError,
     PyJWKClientError,
     encode,
 )
@@ -193,6 +194,16 @@ def _provide_jwts(self):
                 None,
                 None,
             ),
+            # Disallowed algorithm "none"
+            (
+                False,
+                "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0."
+                "eyJpc3MiOiJodHRwczovL2F1dGguYWNtZS5jb20iLCJzdWIiOiIxMjM0NSIsImlhdCI6"
+                + str(int(time()))
+                + "f.",
+                InvalidAlgorithmError,
+                "Algorithm not allowed",
+            ),
         ]
 
     @classmethod
