ath should not take padding in to account

SUNET · Nov 6, 2023 · c6f4eb4 · c6f4eb4
1 parent 4464f3b
commit c6f4eb4
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/src/auth_server/proof/jws.py b/src/auth_server/proof/jws.py
@@ -65,7 +65,7 @@ async def verify_gnap_jws(
     # associated access token's value.
     if access_token is not None:
         access_token_hash = hash_with(SHA256(), access_token.encode())
-        b64_access_token_hash = urlsafe_b64encode(access_token_hash).decode("utf-8")
+        b64_access_token_hash = urlsafe_b64encode(access_token_hash).decode("utf-8").rstrip("=")
         if b64_access_token_hash != jws_header.ath:
             logger.error(f"ath mismatch. calculated ath: {b64_access_token_hash} != header: {jws_header.ath}")
             raise HTTPException(status_code=400, detail="ath does not match")

diff --git a/src/auth_server/tests/test_app.py b/src/auth_server/tests/test_app.py
@@ -1016,7 +1016,7 @@ def test_transaction_jws_continue(self):
         jws_header["created"] = int(utc_now().timestamp())
         # calculate ath header value
         access_token_hash = hash_with(SHA256(), continue_response["access_token"]["value"].encode())
-        jws_header["ath"] = base64.urlsafe_b64encode(access_token_hash).decode("utf-8")
+        jws_header["ath"] = base64.urlsafe_b64encode(access_token_hash).decode("utf-8").rstrip("=")
         _jws = jws.JWS(payload="{}")
         _jws.add_signature(
             key=self.client_jwk,
@@ -1119,7 +1119,7 @@ def test_transaction_jws_continue_redirect_finish(self):
         jws_header["created"] = int(utc_now().timestamp())
         # calculate ath header value
         access_token_hash = hash_with(SHA256(), continue_response["access_token"]["value"].encode())
-        jws_header["ath"] = base64.urlsafe_b64encode(access_token_hash).decode("utf-8")
+        jws_header["ath"] = base64.urlsafe_b64encode(access_token_hash).decode("utf-8").rstrip("=")
         # create jws from continue request
         _jws = jws.JWS(payload=ContinueRequest(interact_ref=interact_ref).json(exclude_unset=True))
         _jws.add_signature(
@@ -1205,7 +1205,7 @@ def test_transaction_jwsd_continue(self):
         jws_header["created"] = int(utc_now().timestamp())
         # calculate ath header value
         access_token_hash = hash_with(SHA256(), continue_response["access_token"]["value"].encode())
-        jws_header["ath"] = base64.urlsafe_b64encode(access_token_hash).decode("utf-8")
+        jws_header["ath"] = base64.urlsafe_b64encode(access_token_hash).decode("utf-8").rstrip("=")
         _jws = jws.JWS(payload="{}")
         _jws.add_signature(
             key=self.client_jwk,