From 0788efb65653d3e97805f00784a59dc3314856d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joakim=20S=C3=B8rensen?= <joasoe@gmail.com>
Date: Thu, 16 May 2024 11:08:33 +0200
Subject: [PATCH] Validate iat as int (#252)

* Only validate that iat is an int

* Restore previous

* not
---
 pycognito/__init__.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pycognito/__init__.py b/pycognito/__init__.py
index b6a52ef..bd28318 100644
--- a/pycognito/__init__.py
+++ b/pycognito/__init__.py
@@ -260,6 +260,7 @@ def verify_token(self, token, id_name, token_use):
                 issuer=self.user_pool_url,
                 options={
                     "require": required_claims,
+                    "verify_iat": False,
                 },
             )
         except jwt.PyJWTError as err:
@@ -274,6 +275,14 @@ def verify_token(self, token, id_name, token_use):
                 f"Your {id_name!r} token use ({token_use!r}) could not be verified."
             )
 
+        if (iat := verified.get("iat")) is not None:
+            try:
+                int(iat)
+            except ValueError as execption:
+                raise TokenVerificationException(
+                    f"Your {id_name!r} token's iat claim is not a valid integer."
+                ) from execption
+
         # Compute and verify at_hash (formerly done by python-jose)
         if "at_hash" in verified:
             alg_obj = jwt.get_algorithm_by_name(header["alg"])