From 861ee8b3c6886a61c6d9ed3f819f7bc35ab2867d Mon Sep 17 00:00:00 2001
From: Craig Rueda <craig@craigrueda.com>
Date: Mon, 23 Oct 2023 11:28:41 -0700
Subject: [PATCH] chore(websocket): [WIP] Making JWT algos configurable
 (#25521)

---
 superset-websocket/config.example.json | 1 +
 superset-websocket/src/config.ts       | 2 ++
 superset-websocket/src/index.ts        | 7 +++++--
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/superset-websocket/config.example.json b/superset-websocket/config.example.json
index 305c308362386..296a0bee39eab 100644
--- a/superset-websocket/config.example.json
+++ b/superset-websocket/config.example.json
@@ -16,6 +16,7 @@
     "ssl": false
   },
   "redisStreamPrefix": "async-events-",
+  "jwtAlgorithms": ["HS256"],
   "jwtSecret": "CHANGE-ME",
   "jwtCookieName": "async-token"
 }
diff --git a/superset-websocket/src/config.ts b/superset-websocket/src/config.ts
index 7d0fac323e975..aa361d17e219c 100644
--- a/superset-websocket/src/config.ts
+++ b/superset-websocket/src/config.ts
@@ -36,6 +36,7 @@ type ConfigType = {
   redisStreamPrefix: string;
   redisStreamReadCount: number;
   redisStreamReadBlockMs: number;
+  jwtAlgorithms: string[];
   jwtSecret: string;
   jwtCookieName: string;
   jwtChannelIdKey: string;
@@ -53,6 +54,7 @@ function defaultConfig(): ConfigType {
     redisStreamPrefix: 'async-events-',
     redisStreamReadCount: 100,
     redisStreamReadBlockMs: 5000,
+    jwtAlgorithms: ['HS256'],
     jwtSecret: '',
     jwtCookieName: 'async-token',
     jwtChannelIdKey: 'channel',
diff --git a/superset-websocket/src/index.ts b/superset-websocket/src/index.ts
index 782275e5ca53a..cd73a6baa635c 100644
--- a/superset-websocket/src/index.ts
+++ b/superset-websocket/src/index.ts
@@ -20,7 +20,7 @@ import * as http from 'http';
 import * as net from 'net';
 import WebSocket from 'ws';
 import { v4 as uuidv4 } from 'uuid';
-import jwt from 'jsonwebtoken';
+import jwt, { Algorithm } from 'jsonwebtoken';
 import cookie from 'cookie';
 import Redis from 'ioredis';
 import StatsD from 'hot-shots';
@@ -261,7 +261,10 @@ const readChannelId = (request: http.IncomingMessage): string => {
   const token = cookies[opts.jwtCookieName];
 
   if (!token) throw new Error('JWT not present');
-  const jwtPayload = jwt.verify(token, opts.jwtSecret) as JwtPayload;
+  const jwtPayload = jwt.verify(token, opts.jwtSecret, {
+    algorithms: opts.jwtAlgorithms as Algorithm[],
+    complete: false,
+  }) as JwtPayload;
   const channelId = jwtPayload[opts.jwtChannelIdKey];
 
   if (!channelId) throw new Error('Channel ID not present in JWT');