Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix bug if application does not specify audience #336

Merged
merged 4 commits into from
Mar 15, 2018
Merged

Fix bug if application does not specify audience #336

merged 4 commits into from
Mar 15, 2018

Conversation

djw8605
Copy link
Contributor

@djw8605 djw8605 commented Mar 7, 2018

If the application does not specify an audience, but the token does, then throw an InvalidAudienceError.

@coveralls
Copy link

Coverage Status

Coverage remained the same at 100.0% when pulling 7230521 on djw8605:aud-none into 9d98078 on jpadilla:master.

1 similar comment
@coveralls
Copy link

Coverage Status

Coverage remained the same at 100.0% when pulling 7230521 on djw8605:aud-none into 9d98078 on jpadilla:master.

@coveralls
Copy link

coveralls commented Mar 7, 2018
edited
Loading

Coverage Status

Coverage remained the same at 100.0% when pulling 8be2680 on djw8605:aud-none into 9d98078 on jpadilla:master.

@djw8605 djw8605 mentioned this pull request Mar 7, 2018
Open
@jpadilla
Copy link
Owner

@djw8605 need a bit more info on this. Did something break for you on v1.6.0?

@djw8605
Copy link
Contributor Author

djw8605 commented Mar 14, 2018

Hi, yes. When the application does not specify an audience, but the token does, it used to throw an InvalidAudienceError exception. With the most recent version 1.6.0, it now errors out on an iterator:

>       if not any(aud in audience_claims for aud in audience):
E       TypeError: 'NoneType' object is not iterable

blah/lib/python2.7/site-packages/jwt/api_jwt.py:183: TypeError

@jpadilla
Copy link
Owner

@djw8605 thanks! Can we update the exception string to Invalid audience so it matches previous behavior?

v1.5.3

>>> encoded = jwt.encode({'aud': 'urn:me'}, 'secret', algorithm='HS256')
>>> encoded
b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJ1cm46bWUifQ.ol7vXY-pDNSVsek4c6oLsfmgncn3t4r8XtJSAog7lh4'
>>> jwt.decode(encoded, 'secret', algorithms=['HS256'])
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/jpadilla/.local/share/virtualenvs/pyjwt-stuff-diVMP3qf/lib/python3.6/site-packages/jwt/api_jwt.py", line 90, in decode
    self._validate_claims(payload, merged_options, **kwargs)
  File "/Users/jpadilla/.local/share/virtualenvs/pyjwt-stuff-diVMP3qf/lib/python3.6/site-packages/jwt/api_jwt.py", line 126, in _validate_claims
    self._validate_aud(payload, audience)
  File "/Users/jpadilla/.local/share/virtualenvs/pyjwt-stuff-diVMP3qf/lib/python3.6/site-packages/jwt/api_jwt.py", line 181, in _validate_aud
    raise InvalidAudienceError('Invalid audience')
jwt.exceptions.InvalidAudienceError: Invalid audience

v1.6.0

>>> encoded = jwt.encode({'aud': 'urn:me'}, 'secret', algorithm='HS256')
>>> encoded
b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJ1cm46bWUifQ.ol7vXY-pDNSVsek4c6oLsfmgncn3t4r8XtJSAog7lh4'
>>> jwt.decode(encoded, 'secret', algorithms=['HS256'])
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/jpadilla/.local/share/virtualenvs/pyjwt-stuff-diVMP3qf/lib/python3.6/site-packages/jwt/api_jwt.py", line 89, in decode
    self._validate_claims(payload, merged_options, **kwargs)
  File "/Users/jpadilla/.local/share/virtualenvs/pyjwt-stuff-diVMP3qf/lib/python3.6/site-packages/jwt/api_jwt.py", line 125, in _validate_claims
    self._validate_aud(payload, audience)
  File "/Users/jpadilla/.local/share/virtualenvs/pyjwt-stuff-diVMP3qf/lib/python3.6/site-packages/jwt/api_jwt.py", line 183, in _validate_aud
    if not any(aud in audience_claims for aud in audience):
TypeError: 'NoneType' object is not iterable

@jpadilla jpadilla added the bug label Mar 14, 2018
jpadilla
jpadilla requested changes Mar 14, 2018
View reviewed changes
jwt/api_jwt.py Outdated
if audience is None and 'aud' in payload:
# Application did not specify an audience, but
# the token has the 'aud' claim
raise InvalidAudienceError('Audience is specified in the payload, but not the application')
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update exception message to Invalid audience so it matches previous behavior.

CHANGELOG.md
@@ -10,6 +10,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).

### Fixed

- Audience parameter throws `InvalidAudienceError` when application does not specify an audience, but the token does. [#336][336]
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add [336]: https://github.com/jpadilla/pyjwt/pull/336 towards the end of the file.

@djw8605
Copy link
Contributor Author

djw8605 commented Mar 15, 2018

@jpadilla changes made.

@jpadilla jpadilla merged commit 02374f4 into jpadilla:master Mar 15, 2018
@jpadilla
Copy link
Owner

@djw8605 thanks! I'll try to release v1.6.1 soon.

@jpadilla jpadilla added this to the v1.6.1 milestone Mar 15, 2018
@djw8605 djw8605 deleted the aud-none branch March 15, 2018 15:38
This was referenced Mar 19, 2018
Closed
Closed
Closed
Merged
Closed
@vorpal-buildbot vorpal-buildbot mentioned this pull request Jun 15, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpadilla jpadilla jpadilla approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v1.6.1
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@djw8605 @coveralls @jpadilla