You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When jwt is enabled via env/config, tokens are accepted without verification. I tested this with expired but otherwise valid tokens. The token is decoded with jwt.decode(access_token, verify=False). As far as I understand, this means that any token would be accepted, since the signature is not checked with a public key/certificate.
So you could just change the username in the token and sign it with an arbitrary key to impersonate any user.
The text was updated successfully, but these errors were encountered:
When jwt is enabled via env/config, tokens are accepted without verification. I tested this with expired but otherwise valid tokens. The token is decoded with
jwt.decode(access_token, verify=False). As far as I understand, this means that any token would be accepted, since the signature is not checked with a public key/certificate.So you could just change the username in the token and sign it with an arbitrary key to impersonate any user.
The text was updated successfully, but these errors were encountered: