From b27894fcfee8a8422ca191ccd87f641eb8befcf0 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Sat, 15 Mar 2025 15:20:53 -0600
Subject: refactor: authorize unsigned JWT in requests

---
 bin/idp | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'bin/idp')

diff --git a/bin/idp b/bin/idp
index 3aeeb079..81e5ffe0 100755
--- a/bin/idp
+++ b/bin/idp
@@ -322,6 +322,7 @@ module Authz
   class OrganizationPolicy < DeclarativePolicy::Base
     condition(:owner) { true }
 
+    rule { owner }.enable :read_project
     rule { owner }.enable :create_project
   end
 
@@ -334,9 +335,9 @@ module Authz
 
     def to_jwt
       [
-        Base64.strict_encode64(JSON.generate({alg: "RS256", typ: "JWT"})),
+        Base64.strict_encode64(JSON.generate(alg: "none")),
         Base64.strict_encode64(JSON.generate(claims)),
-        Base64.strict_encode64(JSON.generate({})),
+        ""
       ].join(".")
     end
   end
@@ -354,8 +355,13 @@ module Authz
       def can?(request)
         subject = subject_of(request.subject)
         resource = resource_from(request.resource)
+        permission = request.permission.to_sym
+
         policy = DeclarativePolicy.policy_for(subject, resource)
-        policy.can?(request.permission.to_sym)
+        policy.can?(permission)
+      rescue StandardError => error
+        puts error.inspect
+        false
       end
 
       def subject_of(token)
@@ -371,7 +377,7 @@ module Authz
       def from_jwt(token)
         token
           .split('.', 3)
-          .map { |x| JSON.parse(Base64.strict_decode64(x), symbolize_names: true) }
+          .map { |x| JSON.parse(Base64.strict_decode64(x), symbolize_names: true) rescue {} }
       end
     end
   end
-- 
cgit v1.2.3