fix: uri bug and add custom username claim option (#220)

Co-authored-by: Omer Cohen <[email protected]>
descope · Jan 29, 2025 · e83b9c6 · e83b9c6
1 parent 2800283
commit e83b9c6
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/django_descope/authentication.py b/django_descope/authentication.py
@@ -7,6 +7,7 @@
 from django.contrib.auth import logout
 from django.contrib.auth.backends import BaseBackend
 from django.http import HttpRequest
+from .settings import USERNAME_CLAIM
 
 from . import descope_client
 from .models import DescopeUser
@@ -52,7 +53,14 @@ def authenticate(self, request: Union[HttpRequest, None], **kwargs):
             # Contains sensitive information, so only log in DEBUG mode
             logger.debug(validated_session)
         if validated_session:
-            username = validated_session[SESSION_TOKEN_NAME]["sub"]
+            try:
+                username = validated_session[SESSION_TOKEN_NAME][USERNAME_CLAIM]
+            except KeyError:
+                logger.error(f"Unable to authenticate user- could not find USERNAME_CLAIM={USERNAME_CLAIM} in Descope JWT") 
+                if settings.DEBUG:
+                    raise
+                return None
+
             user, _ = DescopeUser.objects.get_or_create(username=username)
             user.sync(validated_session, refresh_token)
             request.session[SESSION_COOKIE_NAME] = user.session_token["jwt"]

diff --git a/django_descope/settings.py b/django_descope/settings.py
@@ -19,3 +19,9 @@
 # Role names to create in Descope that will map to User attributes
 IS_STAFF_ROLE = getattr(settings, "DESCOPE_IS_STAFF_ROLE", "is_staff")
 IS_SUPERUSER_ROLE = getattr(settings, "DESCOPE_IS_SUPERUSER_ROLE", "is_superuser")
+
+# Ensure the claim used here is present in the JWT.
+# Note: It is crucial to use a claim with a unique value for the username.
+# Failure to do so may result in unintended user merges or account takeovers.
+# For more information, refer to Descope's [NoAuth](https://www.descope.com/blog/post/noauth) blog post.
+USERNAME_CLAIM = getattr(settings, "DESCOPE_USERNAME_CLAIM", "sub")
diff --git a/django_descope/templatetags/descope.py b/django_descope/templatetags/descope.py
@@ -22,7 +22,7 @@ def descope_flow(context, flow_id, success_redirect):
     id = "descope-" + get_random_string(length=4)
     store_jwt_url = reverse("django_descope:store_jwt")
     flow = f"""
-    <descope-wc id="{id}" project-id="{PROJECT_ID}" flow-id="{flow_id}" redirect-url="{success_redirect}"
+    <descope-wc id="{id}" project-id="{PROJECT_ID}" flow-id="{flow_id}" redirect-url="{context.request.build_absolute_uri()}"
         base-url="{os.environ.get('DESCOPE_BASE_URI', '')}"></descope-wc>
     <script>
         const descopeWcEle = document.getElementById('{id}');