fix(api): disable signature verification for JWT decoding to handle upstream tokens

fabieu · web-flow · commit 40af2fb6c9fd · 2026-05-02T21:43:19.000+02:00
fix(api): change host binding to allow external access
diff --git a/Dockerfile b/Dockerfile
@@ -25,7 +25,8 @@ FROM python:3.14.3-alpine AS runtime
 ENV PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
     VIRTUAL_ENV=/app/.venv \
-    PATH="/app/.venv/bin:$PATH"
+    PATH="/app/.venv/bin:$PATH" \
+    SUREHUB_HOST=0.0.0.0
 
 RUN addgroup -S appgroup && adduser -S appuser -G appgroup
 
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -13,7 +13,7 @@ dependencies = [
     "dynaconf>=3.2.13,<4.0.0",
     "fastapi>=0.136.1,<1.0.0",
     "requests>=2.33.1,<3.0.0",
-    "pyjwt (>=2.12.1,<3.0.0)",
+    "pyjwt>=2.12.1,<3.0.0",
 ]
 
 [project.urls]
diff --git a/surehub_api/config.py b/surehub_api/config.py
@@ -8,5 +8,6 @@
         Validator('loglevel', is_in=['critical', 'error', 'warning', 'info', 'debug', 'trace']),
         Validator('endpoint', must_exist=True, condition=lambda v: isinstance(v, str) and v.startswith('https://')),
         Validator('port', must_exist=True, condition=lambda v: isinstance(v, int) and 1 <= v <= 65535),
+        Validator('host', must_exist=True),
     ],
 )
diff --git a/surehub_api/main.py b/surehub_api/main.py
@@ -72,8 +72,8 @@ def main():
 
     uvicorn.run(
         "surehub_api.main:app",
+        host=settings.host,
         port=settings.port,
-        host="127.0.0.1",
         log_level=settings.loglevel,
         log_config=log_config,
         reload=settings.debug
diff --git a/surehub_api/services/api.py b/surehub_api/services/api.py
@@ -93,7 +93,7 @@ def _get_token(force_refresh: bool = False) -> str:
 
 def _parse_expiry(token: str) -> datetime:
     try:
-        payload = jwt.decode(token)
+        payload = jwt.decode(token, options={"verify_signature": False})  # NOSONAR(S5659)
         return datetime.fromtimestamp(payload["exp"], tz=timezone.utc) - _TOKEN_EXPIRY_MARGIN
     except (jwt.exceptions.DecodeError, KeyError) as exc:
         raise HTTPException(status_code=502, detail=f"Invalid token from upstream: {exc}") from exc
@@ -128,4 +128,4 @@ def _login() -> str:
             if attempt == _LOGIN_RETRIES - 1:
                 raise requests.exceptions.RequestException(
                     f"Upstream auth unavailable after {_LOGIN_RETRIES} attempts: {exc}"
-                ) from exc
+                ) from exc
diff --git a/surehub_api/settings.yaml b/surehub_api/settings.yaml
@@ -1,5 +1,6 @@
 loglevel: "info"
 endpoint: "https://app-api.production.surehub.io"
+host: "127.0.0.1"
 port: 3001
 debug: false
 cors:

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ dependencies = [`
`13`	`13`	`"dynaconf>=3.2.13,<4.0.0",`
`14`	`14`	`"fastapi>=0.136.1,<1.0.0",`
`15`	`15`	`"requests>=2.33.1,<3.0.0",`
`16`		`- "pyjwt (>=2.12.1,<3.0.0)",`
	`16`	`+ "pyjwt>=2.12.1,<3.0.0",`
`17`	`17`	`]`
`18`	`18`
`19`	`19`	`[project.urls]`
Original file line number	Diff line number	Diff line change
`@@ -8,5 +8,6 @@`
`8`	`8`	`Validator('loglevel', is_in=['critical', 'error', 'warning', 'info', 'debug', 'trace']),`
`9`	`9`	`Validator('endpoint', must_exist=True, condition=lambda v: isinstance(v, str) and v.startswith('https://')),`
`10`	`10`	`Validator('port', must_exist=True, condition=lambda v: isinstance(v, int) and 1 <= v <= 65535),`
	`11`	`+ Validator('host', must_exist=True),`
`11`	`12`	`],`
`12`	`13`	`)`