From bc59d58a3e5d9aa422e85a83432e1c44c632132a Mon Sep 17 00:00:00 2001
From: Gautham <gautham@jnaapti.com>
Date: Tue, 24 Jul 2018 15:12:20 +0530
Subject: [PATCH 1/3] Fixing a bug - the allows_jwt method does NOT throw any
 error if a token is not found at all.

This could cause potential security issues as developers decorate their methods with @allows_jwt and then not pass a token and the method allows the call.

Signed-off-by: Gautham <buzypi@gmail.com>
---
 gluon/tools.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gluon/tools.py b/gluon/tools.py
index bf4bd902..1078f9eb 100644
--- a/gluon/tools.py
+++ b/gluon/tools.py
@@ -1335,6 +1335,8 @@ class AuthJWT(object):
                     if required:
                         raise e
                     token = None
+                if not token:
+                    raise HTTP(400, 'Invalid token')
                 if token and len(token) < self.max_header_length:
                     old_verify_expiration = self.verify_expiration
                     try:

From 39dd86d6fbc7d8d9866170651d1dc639aaa3d913 Mon Sep 17 00:00:00 2001
From: Gautham Pai <buzypi@gmail.com>
Date: Tue, 24 Jul 2018 17:40:15 +0530
Subject: [PATCH 2/3] Raise an error only if required is True and token is not
 present

---
 gluon/tools.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gluon/tools.py b/gluon/tools.py
index 1078f9eb..26814b1b 100644
--- a/gluon/tools.py
+++ b/gluon/tools.py
@@ -1335,7 +1335,7 @@ class AuthJWT(object):
                     if required:
                         raise e
                     token = None
-                if not token:
+                if not token and required:
                     raise HTTP(400, 'Invalid token')
                 if token and len(token) < self.max_header_length:
                     old_verify_expiration = self.verify_expiration

From 6f2be48e254e62c07d65dbd3bf22780525d36e44 Mon Sep 17 00:00:00 2001
From: Michele Comitini <mcm@glisco.it>
Date: Thu, 26 Jul 2018 20:01:38 +0200
Subject: [PATCH 3/3] generate HTTP error code also if jwt token parameter is
 missing in request

---
 gluon/tools.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gluon/tools.py b/gluon/tools.py
index 26814b1b..d076e292 100644
--- a/gluon/tools.py
+++ b/gluon/tools.py
@@ -1311,6 +1311,8 @@ class AuthJWT(object):
             token = parts[1]
         else:
             token = current.request.vars.get(token_param)
+            if token is None:
+                raise HTTP(400, 'JWT header not found and JWT parameter {} missing in request'.format(token_param))
 
         self.recvd_token = token
         return token
@@ -1335,8 +1337,6 @@ class AuthJWT(object):
                     if required:
                         raise e
                     token = None
-                if not token and required:
-                    raise HTTP(400, 'Invalid token')
                 if token and len(token) < self.max_header_length:
                     old_verify_expiration = self.verify_expiration
                     try: