You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by cr...@apache.org on 2023/10/23 18:28:47 UTC

[superset] branch master updated: chore(websocket): [WIP] Making JWT algos configurable (#25521)

This is an automated email from the ASF dual-hosted git repository.

craigrueda pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git


The following commit(s) were added to refs/heads/master by this push:
     new 861ee8b3c6 chore(websocket): [WIP] Making JWT algos configurable (#25521)
861ee8b3c6 is described below

commit 861ee8b3c6886a61c6d9ed3f819f7bc35ab2867d
Author: Craig Rueda <cr...@craigrueda.com>
AuthorDate: Mon Oct 23 11:28:41 2023 -0700

    chore(websocket): [WIP] Making JWT algos configurable (#25521)
---
 superset-websocket/config.example.json | 1 +
 superset-websocket/src/config.ts       | 2 ++
 superset-websocket/src/index.ts        | 7 +++++--
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/superset-websocket/config.example.json b/superset-websocket/config.example.json
index 305c308362..296a0bee39 100644
--- a/superset-websocket/config.example.json
+++ b/superset-websocket/config.example.json
@@ -16,6 +16,7 @@
     "ssl": false
   },
   "redisStreamPrefix": "async-events-",
+  "jwtAlgorithms": ["HS256"],
   "jwtSecret": "CHANGE-ME",
   "jwtCookieName": "async-token"
 }
diff --git a/superset-websocket/src/config.ts b/superset-websocket/src/config.ts
index 7d0fac323e..aa361d17e2 100644
--- a/superset-websocket/src/config.ts
+++ b/superset-websocket/src/config.ts
@@ -36,6 +36,7 @@ type ConfigType = {
   redisStreamPrefix: string;
   redisStreamReadCount: number;
   redisStreamReadBlockMs: number;
+  jwtAlgorithms: string[];
   jwtSecret: string;
   jwtCookieName: string;
   jwtChannelIdKey: string;
@@ -53,6 +54,7 @@ function defaultConfig(): ConfigType {
     redisStreamPrefix: 'async-events-',
     redisStreamReadCount: 100,
     redisStreamReadBlockMs: 5000,
+    jwtAlgorithms: ['HS256'],
     jwtSecret: '',
     jwtCookieName: 'async-token',
     jwtChannelIdKey: 'channel',
diff --git a/superset-websocket/src/index.ts b/superset-websocket/src/index.ts
index 782275e5ca..cd73a6baa6 100644
--- a/superset-websocket/src/index.ts
+++ b/superset-websocket/src/index.ts
@@ -20,7 +20,7 @@ import * as http from 'http';
 import * as net from 'net';
 import WebSocket from 'ws';
 import { v4 as uuidv4 } from 'uuid';
-import jwt from 'jsonwebtoken';
+import jwt, { Algorithm } from 'jsonwebtoken';
 import cookie from 'cookie';
 import Redis from 'ioredis';
 import StatsD from 'hot-shots';
@@ -261,7 +261,10 @@ const readChannelId = (request: http.IncomingMessage): string => {
   const token = cookies[opts.jwtCookieName];
 
   if (!token) throw new Error('JWT not present');
-  const jwtPayload = jwt.verify(token, opts.jwtSecret) as JwtPayload;
+  const jwtPayload = jwt.verify(token, opts.jwtSecret, {
+    algorithms: opts.jwtAlgorithms as Algorithm[],
+    complete: false,
+  }) as JwtPayload;
   const channelId = jwtPayload[opts.jwtChannelIdKey];
 
   if (!channelId) throw new Error('Channel ID not present in JWT');