In [73]:
import base64
import json
import hmac
import hashlib
import time

In [74]:
SECRET = b'super-secret-key'

In [75]:
def base64url_encode(data: bytes) -> str:
  return base64.urlsafe_b64encode(data).rstrip(b'=').decode()


def base64url_decode(data: str) -> bytes:
  r = len(data) % 4
  if r > 0:
    data += '='*(4-r)
  return base64.urlsafe_b64decode(data)


encoded = base64url_encode(b'hello vidu')
encoded

decoded = base64url_decode(encoded)
decoded

'aGVsbG8gdmlkdQ'

b'hello vidu'

In [76]:
base64url_decode(base64url_encode(b'a')) == b'a'
base64url_decode(base64url_encode(b'aa')) == b'aa'
base64url_decode(base64url_encode(b'aaa')) == b'aaa'
base64url_decode(base64url_encode(b'aaaa')) == b'aaaa'

True

True

True

True

In [77]:
def sign(message: bytes) -> str:
  sig = hmac.new(SECRET, message, hashlib.sha256).digest()
  return base64url_encode(sig)


sign(b'hello')

'6yXy__rAaqdU4ZKtGgaWRGB1jBXvzrSDMNZEYyW5JaM'

In [78]:
header = {
    'alg': 'HS256',
    'typ': 'JWT',
}

payload = {
    "sub": 1,
    "iat": int(time.time())
}

header_b64 = base64url_encode(json.dumps(header).encode())
header_b64

payload_b64 = base64url_encode(json.dumps(payload).encode())
payload_b64

'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9'

'eyJzdWIiOiAxLCAiaWF0IjogMTc2ODIyMzM3Mn0'

In [79]:
message = f'{header_b64}.{payload_b64}'.encode()
message

signature = sign(message)
signature

token = f'{header_b64}.{payload_b64}.{signature}'
token

b'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJzdWIiOiAxLCAiaWF0IjogMTc2ODIyMzM3Mn0'

'FOUvJMzgOgvwTtZ6MSO-LpLrptTIbtJ2vJb3k51NuWQ'

'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJzdWIiOiAxLCAiaWF0IjogMTc2ODIyMzM3Mn0.FOUvJMzgOgvwTtZ6MSO-LpLrptTIbtJ2vJb3k51NuWQ'

In [80]:
def jwt_encode(payload: dict) -> str:
  header = {
      "alg": "HS256",
      "typ": "JWT",
  }

  header_b64 = base64url_encode(json.dumps(header).encode())
  payload_b64 = base64url_encode(json.dumps(payload).encode())

  message = f'{header_b64}.{payload_b64}'.encode()
  signature = sign(message)

  return f'{header_b64}.{payload_b64}.{signature}'


token = jwt_encode({
    "sub": 1,
    "iat": 123
})
token

'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJzdWIiOiAxLCAiaWF0IjogMTIzfQ.n0Vc--wM_jqAMmenURidvglV5tYv0hPT05jT-Psg9KM'

In [81]:
header_b64, payload_b64, signature = token.split('.')

message = f'{header_b64}.{payload_b64}'.encode()
expected_signature = sign(message)

if not hmac.compare_digest(signature, expected_signature):
  raise Exception("Invalid signature")

payload = json.loads(base64url_decode(payload_b64))
payload

payload['iat']

{'sub': 1, 'iat': 123}

123

In [82]:
def jwt_decode(token: str) -> dict:
  header_b64, payload_b64, signature = token.split('.')

  message = f'{header_b64}.{payload_b64}'.encode()
  expected_signature = sign(message)

  # print("DEBUG: this is payload:", json.loads(base64url_decode(payload_b64)))

  if not hmac.compare_digest(signature, expected_signature):
    raise Exception("Invalid signature")

  return json.loads(base64url_decode(payload_b64))


jwt_decode(token)

{'sub': 1, 'iat': 123}

In [83]:
payload = {
    'name': 'vidu',
    'age': '22',
    'is_admin': False
}

token_issued = jwt_encode(payload)
token_issued

payload_recovered = jwt_decode(token_issued)
payload == payload_recovered

'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJuYW1lIjogInZpZHUiLCAiYWdlIjogIjIyIiwgImlzX2FkbWluIjogZmFsc2V9.3keRRHwH4y0UwZi-KuFTQXeQDB-4ljyMfQaxp9d_fKw'

True

In [84]:
# jwt_decode('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoidmlkdSIsImFnZSI6Ijk5IiwiaXNfYWRtaW4iOnRydWV9.vME9Xs7IRAE3FOdYoxSCDi5oOYLP9qlNNJ9U38Nt924')

In [85]:
base64url_encode(b'a')  # 1 bytes (2 equals padding)
base64url_encode(b'aa')  # 2 bytes (1 equals padding)
base64url_encode(b'aaa')  # 3 bytes

'YQ'

'YWE'

'YWFh'

In [86]:
encoded = base64.urlsafe_b64encode(b'aa').rstrip(b'=').decode()
encoded

r = len(encoded) % 4
r

if r > 0:
  print(f'need to add {4-r} "="s')
  encoded += '='*(4-r)

'YWE'

3

need to add 1 "="s


In [87]:
base64.urlsafe_b64decode(encoded)

b'aa'