From 64824973ba8958c097ddd8a73cb28cb6f57e6427 Mon Sep 17 00:00:00 2001
From: mg <jimbob959@gmail.com>
Date: Wed, 11 Sep 2019 20:29:34 -0300
Subject: [PATCH] Adding issuer validation.

---
 thrimshim/thrimshim/main.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/thrimshim/thrimshim/main.py b/thrimshim/thrimshim/main.py
index 9566050..7a2aadb 100644
--- a/thrimshim/thrimshim/main.py
+++ b/thrimshim/thrimshim/main.py
@@ -43,13 +43,16 @@ def cors(app):
 def auth_test():
 	if flask.request.method == 'POST':
 		userToken = flask.request.json['token']
+		# Reference: https://developers.google.com/identity/sign-in/web/backend-auth
 		try:
 			# Alternate method, query this endpoint: https://oauth2.googleapis.com/tokeninfo?id_token=XYZ123
 			idinfo = id_token.verify_oauth2_token(userToken, requests.Request(), None)
 			
+			if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
+				raise ValueError('Wrong issuer.')
+
 			# ID token is valid. Get the user's Google Account ID from the decoded token.
     		# userid = idinfo['sub']
-			
 			userEmail = idinfo['email']
 
 			return json.dumps(userEmail)