Fix jwks validation in scanner

2025-05-24 02:02:36 -04:00 · 2025-05-11 03:37:34 +02:00 · 2025-05-11 03:37:34 +02:00 · 6427aafc4d
commit 6427aafc4d
parent 2ce696a07b
2 changed files with 6 additions and 1 deletions
--- a/scanner/scanner/init.py
+++ b/scanner/scanner/init.py
@ -77,7 +77,7 @@ app = FastAPI(
 )
 async def trigger_scan(
 	tasks: BackgroundTasks,
-	_: Annotated[None, Security(validate_bearer, scopes=["scanner."])],
+	_: Annotated[None, Security(validate_bearer, scopes=["scanner.trigger"])],
 ):
 	"""
 	Trigger a full scan of the filesystem, trying to find new videos & deleting old ones.
--- a/scanner/scanner/jwt.py
+++ b/scanner/scanner/jwt.py
@ -1,4 +1,5 @@
 import os
+from logging import getLogger
 from typing import Annotated

 import jwt
@ -6,6 +7,8 @@ from fastapi import Depends, HTTPException
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer, SecurityScopes
 from jwt import PyJWKClient

+logger = getLogger(__name__)
+
 jwks_client = PyJWKClient(
 	os.environ.get("JWKS_URL", "http://auth:4568/.well-known/jwks.json")
 )
@ -21,6 +24,7 @@ def validate_bearer(
 		payload = jwt.decode(
 			token.credentials,
 			jwks_client.get_signing_key_from_jwt(token.credentials).key,
+			algorithms=["RS256"],
 			issuer=os.environ.get("JWT_ISSUER"),
 		)
 		for scope in perms.scopes:
@ -34,6 +38,7 @@ def validate_bearer(
 				)
 		return payload
 	except Exception as e:
+		logger.error("Failed to parse token", exc_info=e)
 		raise HTTPException(
 			status_code=403,
 			detail="Could not validate credentials",