h Crash when handling publisher-generated JWT grant token with invalid account ID

Crash when handling publisher-generated JWT grant token with invalid account ID

Open robertknight opened this issue 6 years ago • 2 comments

https://sentry.io/organizations/hypothesis/issues/1106040600/

A crash occurs if a publisher with keys for an authority generates a grant token for an invalid user ID (eg. acct:@authority) and the client POSTs it to the /api/token route.

In one of the reports in the linked Sentry issue, the contents of the JWT token submitted to the endpoint was:

{
  "aud": "hypothes.is",
  "iss": "d9bb38d6-9c38-11e9-9718-935e4c0dc38c",
  "sub": "acct:@h.jonudell.info",
  "nbf": 1563383764,
  "exp": 1563384364
}

Jul 17 '19 17:07 robertknight

FYI @judell

Jul 17 '19 17:07 robertknight

Sentry issue: H-1QA

Jul 18 '19 07:07 sentry-io[bot]

h h copied to clipboard

Crash when handling publisher-generated JWT grant token with invalid account ID

h
h copied to clipboard