feat: Check if token is a JWT (#159)

juancarlospaco · web-flow · commit 44f7b39ee5f7 · 2024-11-10T18:53:10.000+08:00
diff --git a/supabase_functions/_async/functions_client.py b/supabase_functions/_async/functions_client.py
@@ -3,7 +3,7 @@
 from httpx import HTTPError, Response
 
 from ..errors import FunctionsHttpError, FunctionsRelayError
-from ..utils import AsyncClient, is_http_url, is_valid_str_arg
+from ..utils import AsyncClient, is_http_url, is_valid_jwt, is_valid_str_arg
 from ..version import __version__
 
 
@@ -60,6 +60,9 @@ def set_auth(self, token: str) -> None:
             the new jwt token sent in the authorization header
         """
 
+        if not is_valid_jwt(token):
+            ValueError("token must be a valid JWT authorization token string.")
+
         self.headers["Authorization"] = f"Bearer {token}"
 
     async def invoke(
diff --git a/supabase_functions/_sync/functions_client.py b/supabase_functions/_sync/functions_client.py
@@ -3,7 +3,7 @@
 from httpx import HTTPError, Response
 
 from ..errors import FunctionsHttpError, FunctionsRelayError
-from ..utils import SyncClient, is_http_url, is_valid_str_arg
+from ..utils import SyncClient, is_http_url, is_valid_jwt, is_valid_str_arg
 from ..version import __version__
 
 
@@ -60,6 +60,9 @@ def set_auth(self, token: str) -> None:
             the new jwt token sent in the authorization header
         """
 
+        if not is_valid_jwt(token):
+            ValueError("token must be a valid JWT authorization token string.")
+
         self.headers["Authorization"] = f"Bearer {token}"
 
     def invoke(
diff --git a/supabase_functions/utils.py b/supabase_functions/utils.py
@@ -1,9 +1,11 @@
+import re
 from urllib.parse import urlparse
 
 from httpx import AsyncClient as AsyncClient  # noqa: F401
 from httpx import Client as BaseClient
 
 DEFAULT_FUNCTION_CLIENT_TIMEOUT = 5
+BASE64URL_REGEX = r"^([a-z0-9_-]{4})*($|[a-z0-9_-]{3}$|[a-z0-9_-]{2}$)$"
 
 
 class SyncClient(BaseClient):
@@ -17,3 +19,26 @@ def is_valid_str_arg(target: str) -> bool:
 
 def is_http_url(url: str) -> bool:
     return urlparse(url).scheme in {"https", "http"}
+
+
+def is_valid_jwt(value: str) -> bool:
+    """Checks if value looks like a JWT, does not do any extra parsing."""
+    if not isinstance(value, str):
+        return False
+
+    # Remove trailing whitespaces if any.
+    value = value.strip()
+
+    # Remove "Bearer " prefix if any.
+    if value.startswith("Bearer "):
+        value = value[7:]
+
+    # Valid JWT must have 2 dots (Header.Paylod.Signature)
+    if value.count(".") != 2:
+        return False
+
+    for part in value.split("."):
+        if not re.search(BASE64URL_REGEX, part, re.IGNORECASE):
+            return False
+
+    return True
