Allow list of valid audiences (#205 continued) #306
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nfigured Added test cases to check if audience is provided a list.
|
👍 |
1 similar comment
jpadilla
approved these changes
Nov 17, 2017
mark-adams
suggested changes
Nov 21, 2017
jwt/api_jwt.py
Outdated
| @@ -103,8 +102,8 @@ def _validate_claims(self, payload, options, audience=None, issuer=None, | |||
| if isinstance(leeway, timedelta): | |||
| leeway = leeway.total_seconds() | |||
|
|
|||
| if not isinstance(audience, (string_types, type(None))): | |||
| raise TypeError('audience must be a string or None') | |||
| if not isinstance(audience, (string_types, type(None), list)): | |||
There was a problem hiding this comment.
I think it might be better to use collections.Iterable to allow any iterable type to be used instead of just a list. Seems a little more idiomatic that way.
jwt/api_jwt.py
Outdated
| if isinstance(audience, string_types): | ||
| audience = [audience] | ||
|
|
||
| for aud in audience: |
There was a problem hiding this comment.
What about nixing 183 - 186 and doing:
if not any((aud in audience for aud in audience_claims)):
raise InvalidAudience('Invalid audience')
jwt/api_jwt.py
Outdated
| if not isinstance(audience, (string_types, type(None))): | ||
| raise TypeError('audience must be a string or None') | ||
| if not isinstance(audience, (string_types, type(None), list)): | ||
| raise TypeError('audience must be a string, list of strings, or None') |
There was a problem hiding this comment.
Let's make this iterable instead of list of strings
CHANGELOG.md
Outdated
| @@ -11,6 +11,9 @@ This project adheres to [Semantic Versioning](http://semver.org/). | |||
| - Dropped support for python 2.6 and 3.3 [#297][297] | |||
|
|
|||
| ### Fixed | |||
|
|
|||
| - Audience parameter now supports lists in compliance with RFC 7519 [#306][306] | |||
There was a problem hiding this comment.
Let's drop in compliance with RFC 7519. This is purely an API design decision in the library. RFC 7519 does not require libraries to allow multiple audience values when validating a token. It does require libraries to allow the token to contain multiple values for the aud claim. This change does not make the library any more or less compliant with the RFC, it just makes the API a little more pleasant in the use case that you have multiple possible allowed audiences in your use case.
There was a problem hiding this comment.
You're right. I actually misread that. Dropped the mentioned part and moved it to changed instead of fixed.
- nicer way of checking audience against claims
r-springer
commented
Nov 24, 2017
CHANGELOG.md
Outdated
| @@ -11,6 +11,9 @@ This project adheres to [Semantic Versioning](http://semver.org/). | |||
| - Dropped support for python 2.6 and 3.3 [#297][297] | |||
|
|
|||
| ### Fixed | |||
|
|
|||
| - Audience parameter now supports lists in compliance with RFC 7519 [#306][306] | |||
There was a problem hiding this comment.
You're right. I actually misread that. Dropped the mentioned part and moved it to changed instead of fixed.
mark-adams
reviewed
Nov 25, 2017
jwt/api_jwt.py
Outdated
| raise InvalidAudienceError('Invalid audience') | ||
|
|
||
| return |
There was a problem hiding this comment.
This return is extraneous since we're at the end of the function, right?
mark-adams
reviewed
Nov 25, 2017
tests/test_api_jwt.py
Outdated
| @@ -92,7 +91,7 @@ def test_decode_with_invalid_audience_param_throws_exception(self, jwt): | |||
| jwt.decode(example_jwt, secret, audience=1) | |||
|
|
|||
| exception = context.value | |||
| assert str(exception) == 'audience must be a string or None' | |||
| assert str(exception) == 'audience must be a string, Iterable, or None' | |||
There was a problem hiding this comment.
It's probably ok to just say iterable here instead of Iterable. I think most people have an understanding of what an iterable is with regards to Python.
|
I left a couple additional comments. Once those are taken care of, I think we'll be good to go. |
mark-adams
approved these changes
Nov 27, 2017
|
Thanks for the excellent contribution @codervinod! 🎉 |
This was referenced Mar 19, 2018
CorreyL
added a commit
to CorreyL/pyjwt
that referenced
this pull request
Apr 24, 2020
Demonstrate to users reading the documentation that the `audience` parameter is not restricted to the `string` type, but can also accept an iterable, as implemented in PR#306 jpadilla#306
jpadilla
pushed a commit
that referenced
this pull request
Apr 26, 2020
* Add code example for `aud` being an array The previous code example only showed the `aud` claim as a single case-sensitive string, despite the documentation mentioning that the `aud` claim can be an array of case-sensitive strings Add a code block demonstrating the `aud` claim being an array of case-sensitive strings to make it more clear to the user that it is a permitted use of the `aud` claim * Add example of the `audience` param as an iterable Demonstrate to users reading the documentation that the `audience` parameter is not restricted to the `string` type, but can also accept an iterable, as implemented in PR#306 #306 * Fix short title underlines Short title underlines throw warnings in reStructuredText linters
jpadilla
pushed a commit
that referenced
this pull request
Jun 19, 2020
* Add code example for `aud` being an array The previous code example only showed the `aud` claim as a single case-sensitive string, despite the documentation mentioning that the `aud` claim can be an array of case-sensitive strings Add a code block demonstrating the `aud` claim being an array of case-sensitive strings to make it more clear to the user that it is a permitted use of the `aud` claim * Add example of the `audience` param as an iterable Demonstrate to users reading the documentation that the `audience` parameter is not restricted to the `string` type, but can also accept an iterable, as implemented in PR#306 #306 * Fix short title underlines Short title underlines throw warnings in reStructuredText linters
rylanhall33
added a commit
to rylanhall33/pyjwt
that referenced
this pull request
Jun 15, 2022
* Add code example for `aud` being an array The previous code example only showed the `aud` claim as a single case-sensitive string, despite the documentation mentioning that the `aud` claim can be an array of case-sensitive strings Add a code block demonstrating the `aud` claim being an array of case-sensitive strings to make it more clear to the user that it is a permitted use of the `aud` claim * Add example of the `audience` param as an iterable Demonstrate to users reading the documentation that the `audience` parameter is not restricted to the `string` type, but can also accept an iterable, as implemented in PR#306 jpadilla/pyjwt#306 * Fix short title underlines Short title underlines throw warnings in reStructuredText linters
xmas7
pushed a commit
to RubyOnWorld/pyjwt
that referenced
this pull request
Sep 6, 2022
* Add code example for `aud` being an array The previous code example only showed the `aud` claim as a single case-sensitive string, despite the documentation mentioning that the `aud` claim can be an array of case-sensitive strings Add a code block demonstrating the `aud` claim being an array of case-sensitive strings to make it more clear to the user that it is a permitted use of the `aud` claim * Add example of the `audience` param as an iterable Demonstrate to users reading the documentation that the `audience` parameter is not restricted to the `string` type, but can also accept an iterable, as implemented in PR#306 jpadilla/pyjwt#306 * Fix short title underlines Short title underlines throw warnings in reStructuredText linters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Extending @codervinod's work in #246 for #205 (since there's no progress there recently), addressing the PR feedback.