Merge pull request #23 from maykinmedia/security-fix/jwt-algorithms

🔒 Fix JWT verification
maykinmedia · Feb 9, 2024 · 10dc137 · 10dc137
2 parents 94008c5 + 20d9345
commit 10dc137
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/vng_api_common/middleware.py b/vng_api_common/middleware.py
@@ -1,7 +1,7 @@
 # https://pyjwt.readthedocs.io/en/latest/usage.html#reading-headers-without-validation
 # -> we can put the organization/service in the headers itself
 import logging
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, Iterable, List, Optional
 
 from django.conf import settings
 from django.db import models, transaction
@@ -28,7 +28,7 @@ def __init__(self, encoded: str = None):
         self.encoded = encoded
 
     @property
-    def applicaties(self) -> Optional[list]:
+    def applicaties(self) -> Iterable[Applicatie]:
         if self.client_id is None:
             return []
 
@@ -138,7 +138,7 @@ def payload(self) -> Optional[Dict[str, Any]]:
                 payload = jwt.decode(
                     self.encoded,
                     key,
-                    algorithms="HS256",
+                    algorithms=["HS256"],
                     leeway=settings.JWT_LEEWAY,
                 )
             except jwt.InvalidSignatureError: