Skip to content

Release/4.2.4 #209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
grallewellyn merged 4 commits into from
Mar 3, 2026
+32 −22
Merged

Release/4.2.4 #209

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9b5e1d8
make member_session.session_key unique; optimize member_session logs
Jan 15, 2026
8cf36f3
Fix sql INSERT INTO member_session error
Jan 14, 2026
7ca0316
jwt_decode retry
Jan 14, 2026
79d2db4
pinned poetry version because still on Python 3.9
grallewellyn Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions api/auth/cas_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import flask
import requests
import sqlalchemy
from flask import request, json
from flask_api import status
from xmltodict import parse
Expand Down Expand Up @@ -33,6 +34,7 @@
blueprint = flask.Blueprint('cas', __name__)

PROXY_TICKET_PREFIX = "PGT-"
JWT_TOKEN_PREFIX = "jwt:"
MEMBER_STATUS_ACTIVE = "active"
MEMBER_STATUS_SUSPENDED = "suspended"

Expand Down Expand Up @@ -281,13 +283,13 @@ def start_member_session(cas_response, ticket, auto_create_member=False):
return member_session


def start_member_session_jwt(decoded_jwt, auto_create_member=False):
def start_member_session_jwt(decoded_jwt, token_string, auto_create_member=False):

usr = decoded_jwt.get("preferred_username")

member = db.session.query(Member).filter_by(username=usr).first()

if member is None and (auto_create_member):
if member is None and (auto_create_member):
member = Member(first_name=decoded_jwt.get("given_name"),
last_name=decoded_jwt.get("family_name"),
username=usr,
Expand All @@ -299,18 +301,16 @@ def start_member_session_jwt(decoded_jwt, auto_create_member=False):
current_app.logger.error(f"Failed to add new member {usr}: {e}")
raise

member_session = MemberSession(member_id=member.id, session_key=decoded_jwt, creation_date=datetime.utcnow())
try:
db.session.add(member_session)
db.session.commit()
query = """INSERT INTO member_session (member_id, session_key, creation_date)
VALUES ({}, '{}', '{}')
ON CONFLICT (session_key) DO NOTHING;""".format(member.id, token_string, datetime.utcnow())
db.session.execute(sqlalchemy.text(query))
except Exception as e:
db.session.rollback()
current_app.logger.error(f"Failed to create member session for {usr}: {e}")
raise

current_app.logger.error(f"Found member {usr}")
current_app.logger.error(f"Member username {member.username}")

return member


Expand All @@ -323,7 +323,7 @@ def get_cas_attribute_value(attributes, attribute_key):


def decrypt_proxy_ticket(ticket):
if ticket.startswith(PROXY_TICKET_PREFIX):
if ticket.startswith(PROXY_TICKET_PREFIX) or ticket.startswith(JWT_TOKEN_PREFIX):
return ticket
else:
try:
Expand Down
31 changes: 20 additions & 11 deletions api/auth/security.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,8 @@ def get_authorized_user():
decoded = verify_jwt_token(auth_header_value)
if not decoded:
raise AuthenticationError("Invalid or expired jwt token.")
_member = start_member_session_jwt(decoded)

_member = start_member_session_jwt(decoded, auth_header_value)

return _member
else:
Expand All @@ -46,8 +46,8 @@ def get_authorized_user():
decoded = verify_jwt_token(token)
if not decoded:
raise AuthenticationError("Invalid or expired jwt token.")
_member = start_member_session_jwt(decoded)

_member = start_member_session_jwt(decoded, token)

return _member
else: # Malformed Authorization header
Expand Down Expand Up @@ -197,14 +197,23 @@ def verify_jwt_token(token):
signing_key = jwks_client.get_signing_key_from_jwt(token)

# Decode and validate the token
decoded_token = jwt.decode(
token,
signing_key.key,
algorithms=["RS256"],
audience=settings.JWT_AUDIENCE,
options={"verify_exp": False}
)
try:
decoded_token = jwt_decode(token, signing_key, True)
except:
# Retry without expiration validation
decoded_token = jwt_decode(token, signing_key, False)

return decoded_token
except Exception as e:
print(f"JWT validation error: {e}")
return None

def jwt_decode(token, signing_key, verify_exp):
decoded_token = jwt.decode(
token,
signing_key.key,
algorithms=["RS256"],
audience=settings.JWT_AUDIENCE,
options={"verify_exp": verify_exp}
)
return decoded_token
2 changes: 1 addition & 1 deletion api/models/member_session.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ class MemberSession(Base):

id = db.Column(db.Integer, primary_key=True)
member_id = db.Column(db.Integer, db.ForeignKey('member.id'), nullable=False)
session_key = db.Column(db.String())
session_key = db.Column(db.String(), unique=True)
creation_date = db.Column(db.DateTime())
member = db.relationship('Member', backref=db.backref('sessions'))

Expand Down
3 changes: 2 additions & 1 deletion docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
FROM python:3.9 as builder

# Install Poetry
RUN curl -sSL https://install.python-poetry.org | python3 -
RUN curl -sSL https://install.python-poetry.org | python3 - --version 2.2.1 && \
export PATH="/root/.local/bin:$PATH"

ENV PATH="${PATH}:/root/.local/bin" \
POETRY_NO_INTERACTION=1 \
Expand Down
Loading