Gracefully handle malformed tokens

vimalloc · vimalloc · commit aa073eb8a77e · 2019-08-03T09:37:52.000-06:00
Closes #246
diff --git a/flask_jwt_extended/jwt_manager.py b/flask_jwt_extended/jwt_manager.py
@@ -3,7 +3,7 @@
 
 from jwt import (
     ExpiredSignatureError, InvalidTokenError, InvalidAudienceError,
-    InvalidIssuerError
+    InvalidIssuerError, DecodeError
 )
 try:
     from flask import _app_ctx_stack as ctx_stack
@@ -113,6 +113,10 @@ def handle_expired_error(e):
         def handle_invalid_header_error(e):
             return self._invalid_token_callback(str(e))
 
+        @app.errorhandler(DecodeError)
+        def handle_invalid_header_error(e):
+            return self._invalid_token_callback(str(e))
+
         @app.errorhandler(InvalidTokenError)
         def handle_invalid_token_error(e):
             return self._invalid_token_callback(str(e))
diff --git a/tests/test_decode_tokens.py b/tests/test_decode_tokens.py
@@ -8,7 +8,7 @@
 
 from jwt import (
     ExpiredSignatureError, InvalidSignatureError, InvalidAudienceError,
-    ImmatureSignatureError, InvalidIssuerError
+    ImmatureSignatureError, InvalidIssuerError, DecodeError
 )
 
 from flask_jwt_extended import (
@@ -279,3 +279,10 @@ def test_invalid_iss(app, default_access_token):
     with pytest.raises(InvalidIssuerError):
         with app.test_request_context():
             decode_token(invalid_token)
+
+
+def test_malformed_token(app):
+    invalid_token = 'foobarbaz'
+    with pytest.raises(DecodeError):
+        with app.test_request_context():
+            decode_token(invalid_token)
diff --git a/tests/test_view_decorators.py b/tests/test_view_decorators.py
@@ -216,7 +216,6 @@ def test_jwt_missing_claims(app):
 
 def test_jwt_invalid_audience(app):
     url = '/protected'
-    jwtM = get_jwt_manager(app)
     test_client = app.test_client()
 
     # No audience claim expected or provided - OK
@@ -237,9 +236,9 @@ def test_jwt_invalid_audience(app):
     assert response.status_code == 422
     assert response.get_json() == {'msg': 'Invalid audience'}
 
+
 def test_jwt_invalid_issuer(app):
     url = '/protected'
-    jwtM = get_jwt_manager(app)
     test_client = app.test_client()
 
     # No issuer claim expected or provided - OK
@@ -261,6 +260,16 @@ def test_jwt_invalid_issuer(app):
     assert response.get_json() == {'msg': 'Invalid issuer'}
 
 
+def test_malformed_token(app):
+    url = '/protected'
+    test_client = app.test_client()
+
+    access_token = 'foobarbaz'
+    response = test_client.get(url, headers=make_headers(access_token))
+    assert response.status_code == 422
+    assert response.get_json() == {'msg': 'Not enough segments'}
+
+
 @pytest.mark.parametrize("delta_func", [timedelta, relativedelta])
 def test_expired_token(app, delta_func):
     url = '/protected'
