Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warn about missing algorithms arg only when verify is True #281

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,14 @@ This project adheres to [Semantic Versioning](http://semver.org/).
[Unreleased][unreleased]
-------------------------------------------------------------------------
### Changed

- Increase required version of the cryptography package to >=1.4.0.

### Fixed

- Remove uses of deprecated functions from the cryptography package.
- Warn about missing `algorithms` param to `decode()` only when `verify` param is `True` [#281][281]
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is missing defining the link for 281 at the bottom of the file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jpadilla! That's fixed now.


### Added

[v1.5.2][1.5.2]
Expand Down Expand Up @@ -187,4 +192,5 @@ rarely used. Users affected by this should upgrade to 3.3+.
[270]: https://github.com/jpadilla/pyjwt/pull/270
[271]: https://github.com/jpadilla/pyjwt/pull/271
[277]: https://github.com/jpadilla/pyjwt/pull/277
[281]: https://github.com/jpadilla/pyjwt/pull/281
[7c1e61d]: https://github.com/jpadilla/pyjwt/commit/7c1e61dde27bafe16e7d1bb6e35199e778962742
15 changes: 8 additions & 7 deletions jwt/api_jws.py
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,10 @@ def encode(self, payload, key, algorithm='HS256', headers=None,
def decode(self, jws, key='', verify=True, algorithms=None, options=None,
**kwargs):

if not algorithms:
merged_options = merge_dict(self.options, options)
verify_signature = merged_options['verify_signature']

if verify_signature and not algorithms:
warnings.warn(
'It is strongly recommended that you pass in a ' +
'value for the "algorithms" argument when calling decode(). ' +
Expand All @@ -128,15 +131,13 @@ def decode(self, jws, key='', verify=True, algorithms=None, options=None,

payload, signing_input, header, signature = self._load(jws)

if verify:
merged_options = merge_dict(self.options, options)
if merged_options.get('verify_signature'):
self._verify_signature(payload, signing_input, header, signature,
key, algorithms)
else:
if not verify:
warnings.warn('The verify parameter is deprecated. '
'Please use verify_signature in options instead.',
DeprecationWarning, stacklevel=2)
elif verify_signature:
self._verify_signature(payload, signing_input, header, signature,
key, algorithms)

return payload

Expand Down
2 changes: 1 addition & 1 deletion jwt/api_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ def encode(self, payload, key, algorithm='HS256', headers=None,
def decode(self, jwt, key='', verify=True, algorithms=None, options=None,
**kwargs):

if not algorithms:
if verify and not algorithms:
warnings.warn(
'It is strongly recommended that you pass in a ' +
'value for the "algorithms" argument when calling decode(). ' +
Expand Down
18 changes: 18 additions & 0 deletions tests/test_api_jws.py
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,24 @@ def test_decode_with_optional_algorithms(self, jws):

pytest.deprecated_call(jws.decode, example_jws, key=example_secret)

def test_decode_no_algorithms_verify_signature_false(self, jws):
example_secret = 'secret'
example_jws = (
b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
b'aGVsbG8gd29ybGQ.'
b'SIr03zM64awWRdPrAM_61QWsZchAtgDV3pphfHPPWkI'
)

try:
pytest.deprecated_call(
jws.decode, example_jws, key=example_secret,
options={'verify_signature': False},
)
except AssertionError:
pass
else:
assert False, "Unexpected DeprecationWarning raised."

def test_load_no_verification(self, jws, payload):
right_secret = 'foo'
jws_message = jws.encode(payload, right_secret)
Expand Down
13 changes: 13 additions & 0 deletions tests/test_api_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -482,3 +482,16 @@ def test_decode_with_optional_algorithms(self, jwt, payload):
jwt_message,
secret
)

def test_decode_no_algorithms_verify_false(self, jwt, payload):
secret = 'secret'
jwt_message = jwt.encode(payload, secret)

try:
pytest.deprecated_call(
jwt.decode, jwt_message, secret, verify=False,
)
except AssertionError:
pass
else:
assert False, "Unexpected DeprecationWarning raised."