Skip to content

Commit

Permalink
verify aud
Browse files Browse the repository at this point in the history
  • Loading branch information
Lily Kuang committed Feb 11, 2022
1 parent cedb0c9 commit c3f5858
Showing 1 changed file with 0 additions and 7 deletions.
7 changes: 0 additions & 7 deletions superset/security/manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -1341,20 +1341,13 @@ def get_guest_user_from_request(self, req: Request) -> Optional[GuestUser]:
return None

try:
aud = (
current_app.config["GUEST_TOKEN_JWT_AUDIENCE"] or get_url_host()
)
token = self.parse_jwt_guest_token(raw_token)
if token.get("user") is None:
raise ValueError("Guest token does not contain a user claim")
if token.get("resources") is None:
raise ValueError("Guest token does not contain a resources claim")
if token.get("rls_rules") is None:
raise ValueError("Guest token does not contain an rls_rules claim")
if token.get("aud") is None:
raise ValueError("Guest token does not contain an aud claim")
if token.get("aud") != aud:
raise ValueError("Guest token does not match the aud claim")
if token.get("type") != "guest":
raise ValueError("This is not a guest token.")
except Exception: # pylint: disable=broad-except
Expand Down

0 comments on commit c3f5858

Please sign in to comment.