Add warning comments to auth functions

ooni · Jan 24, 2025 · 936cdad · 936cdad
1 parent d9dff25
commit 936cdad
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/ooniapi/services/ooniauth/src/ooniauth/routers/v1.py b/ooniapi/services/ooniauth/src/ooniauth/routers/v1.py
@@ -66,10 +66,20 @@ async def user_register(
     ses_client=Depends(get_ses_client),
 ):
     """Auth Services: start email-based user registration"""
+
+    # **IMPORTANT** You have to be very careful to use an audience different to "probe_login"
+    # 
+    # "probe_login" is the audience field used to generate tokens in ooniprobe
+    #
+    # The tokens used in ooniprobe are generated regardless of any authentication,
+    # because they are a toy token used to please old probes. We use the aud field to distinguish 
+    # those tokens to the ones used in this service
+
     email_address = user_register.email_address.lower()
 
     now = datetime.now(timezone.utc)
     expiration = now + timedelta(days=1)
+    # ! aud should never be "probe_login"
     # On the backend side the registration is stateless
     payload = {
         "nbf": now,
@@ -116,16 +126,8 @@ async def user_login(
 ):
     """Auth Services: login using a registration/login link"""
 
-    # **IMPORTANT** You have to compute this token using a different key
-    # to the one used in ooniprobe service, because you could allow
-    # a login bypass attack if you don't. 
-    #
-    # The token used in ooniprobe is generated regardless of any authentication,
-    # because it's a toy token to please old probes. 
-    #
-    # We set this up in terraform
-
     try:
+        # ! audience should never be "probe_login"
         dec = decode_jwt(
             token=token, key=settings.jwt_encryption_key, audience="register"
         )

diff --git a/ooniapi/services/ooniauth/src/ooniauth/routers/v2.py b/ooniapi/services/ooniauth/src/ooniauth/routers/v2.py
@@ -73,6 +73,7 @@ async def create_user_login(
     now = datetime.now(timezone.utc)
     login_token_expiration = now + timedelta(days=1)
     # On the backend side the registration is stateless
+    # !aud should never be "probe_login"
     payload = {
         "nbf": now,
         "exp": login_token_expiration,
@@ -143,6 +144,7 @@ def get_user_session_from_login_token(
     login_token: str, jwt_encryption_key: str, hashing_key: str, admin_emails: List[str]
 ) -> UserSession:
     try:
+        # ! audience should never be "probe_login"
         d = decode_jwt(
             token=login_token,
             key=jwt_encryption_key,