From 47e4bb8f1d3ed06fd4cb3d20aa708bb403f39f0c Mon Sep 17 00:00:00 2001 From: David Ormsbee Date: Mon, 13 May 2024 18:06:54 +0200 Subject: [PATCH] fix: prevent setting user attributes from JWT in Studio Open edX implements its a JwtAuthentication class in edx-drf-extensions (in edx_rest_framework_extensions.auth.jwt.authentication). This class updates the local User database entry to match certain values in the token. It's used as a way to automatically provision and update users with their LMS user information on other Open edX services like ecommerce. Since LMS and Studio keep the record of truth in its database tables, they should *not* update their database user information based on the JWT. Doing so would allow stale JWTs to incorrectly reset user values after they had been changed in the LMS. This is done by having the EDX_DRF_EXTENSIONS['JWT_PAYLOAD_USER_ATTRIBUTE_MAPPING'] setting be an empty dictionary, and was set correctly for the LMS in its common.py env settings module. Unfortunately, this was *not* being set for Studio. This commit adds the same setting to Studio's common settings module. Prior to this commit, it was possible for a stale JWT to reset user attributes if the user hit a Studio API endpoint that used JWT for auth (e.g. endpoints used by the Course Authoring MFE). This opened up a potential security issue where a global staff user (is_staff=True) that had their global staff status removed (is_staff=False) could have up to a one hour window in which they could use their stale-but-still-valid global-staff JWT token to regain global staff status by calling a Studio endpoint with their browser. --- cms/envs/common.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cms/envs/common.py b/cms/envs/common.py index 43dc2d04d9b6..8fcd5ef98418 100644 --- a/cms/envs/common.py +++ b/cms/envs/common.py @@ -2242,7 +2242,6 @@ ############################ OAUTH2 Provider ################################### - # 5 minute expiration time for JWT id tokens issued for external API requests. OAUTH_ID_TOKEN_EXPIRATION = 5 * 60 @@ -2252,6 +2251,12 @@ # Affiliate cookie tracking AFFILIATE_COOKIE_NAME = 'dev_affiliate_id' +EDX_DRF_EXTENSIONS = { + # Set this value to an empty dict in order to prevent automatically updating + # user data from values in (possibly stale) JWTs. + 'JWT_PAYLOAD_USER_ATTRIBUTE_MAPPING': {}, +} + ############## Settings for Studio Context Sensitive Help ############## HELP_TOKENS_INI_FILE = REPO_ROOT / "cms" / "envs" / "help_tokens.ini"