Security: Implement JWT verification in V3 and prevent numeric ID signing

2026-01-19 14:41:20 -05:00
parent cad0d2e867
commit 2dbf47d874
2 changed files with 30 additions and 62 deletions
--- a/app/lib_jwt.py
+++ b/app/lib_jwt.py
@@ -24,6 +24,14 @@ def sign_jwt(
    log.setLevel(logging.WARNING) # DEBUG, INFO, WARNING, ERROR, EXCEPTION, CRITICAL
    log.debug(locals())

+    # SECURITY CHECK: Ensure we are not signing numeric IDs
+    for label, val in [('account_id', account_id), ('person_id', person_id), ('user_id', user_id)]:
+        if val is not None:
+            if isinstance(val, int) or (isinstance(val, str) and val.isdigit()):
+                log.critical(f"SECURITY BREACH: Attempted to sign a numeric ID for {label}='{val}'. Only random string IDs allowed.")
+                # For now we log and proceed, but in Phase 3 we should raise an Exception
+                # raise ValueError(f"Numeric IDs cannot be signed in JWTs.")
+
    payload = {
        'iat': time.time(), # Issued at
        'eat': time.time() + ttl, # Expires at