In [2]:
import base64
import json
import hmac
import hashlib
import time

In [3]:
SECRET = b'secret_key_for_signature'

In [29]:
def base64url_encode(data: bytes) -> str:
  return base64.urlsafe_b64encode(data).rstrip(b'=').decode()


def base64url_decode(data: str) -> bytes:
  r = len(data) % 4
  if r > 0:
    data += '='*(4-r)
  return base64.urlsafe_b64decode(data)

In [42]:
encoded = base64url_encode(b'a')
encoded
base64url_decode(encoded)

'YQ'

b'a'

In [43]:
encoded = base64url_encode(b'aa')
encoded
base64url_decode(encoded)

'YWE'

b'aa'

In [44]:
encoded = base64url_encode(b'aaa')
encoded
base64url_decode(encoded)

'YWFh'

b'aaa'

In [45]:
encoded = base64url_encode(b'aaaa')
encoded
base64url_decode(encoded)

'YWFhYQ'

b'aaaa'

In [30]:
encoded = base64url_encode(b'hello world')
encoded

decoded = base64url_decode(encoded)
decoded

'aGVsbG8gd29ybGQ'

b'hello world'

In [31]:
def sign(message: bytes) -> str:
  sig = hmac.new(SECRET, message, hashlib.sha256).digest()
  return base64url_encode(sig)


sign(b'hello world')

'HYQcAZkemDxj8Q27TPIuZnVBQhI2DTGTI4pFpQ9xN8U'

In [32]:
header = {
    "alg": 'HS256',
    'typ': 'JWT',
}

payload = {
    'sub': 1,
    'iat': int(time.time())
}

header_b64 = base64url_encode(json.dumps(header).encode())
header_b64

payload_b64 = base64url_encode(json.dumps(payload).encode())
payload_b64

'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9'

'eyJzdWIiOiAxLCAiaWF0IjogMTc2ODIyMjg4Mn0'

In [33]:
message = f'{header_b64}.{payload_b64}'.encode()
message

signature = sign(message)
signature

b'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJzdWIiOiAxLCAiaWF0IjogMTc2ODIyMjg4Mn0'

'gGfAOcF8lH43s3AyaTI_ozy69e9g5KozoFW48tolSX4'

In [34]:
token = f'{header_b64}.{payload_b64}.{signature}'.encode()
token

b'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJzdWIiOiAxLCAiaWF0IjogMTc2ODIyMjg4Mn0.gGfAOcF8lH43s3AyaTI_ozy69e9g5KozoFW48tolSX4'

In [35]:
def jwt_encode(payload: dict) -> str:
  header = {
      'alg': 'HS256',
      'typ': 'JWT'
  }

  header_b64 = base64url_encode(json.dumps(header).encode())
  payload_b64 = base64url_encode(json.dumps(payload).encode())

  message = f'{header_b64}.{payload_b64}'.encode()
  signature = sign(message)

  return f'{header_b64}.{payload_b64}.{signature}'


token = jwt_encode({
    'sub': 1,
    'iat': int(time.time())
})

token

'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJzdWIiOiAxLCAiaWF0IjogMTc2ODIyMjg4Mn0.gGfAOcF8lH43s3AyaTI_ozy69e9g5KozoFW48tolSX4'

In [36]:
header_b64, payload_b64, signature = token.split('.')

message = f'{header_b64}.{payload_b64}'.encode()
expected_signature = sign(message)

if not hmac.compare_digest(signature, expected_signature):
  raise Exception('Invalid signature')

payload = json.loads(base64url_decode(payload_b64))
payload

payload['iat']

{'sub': 1, 'iat': 1768222882}

1768222882

In [37]:
def jwt_decode(token: str) -> dict:
  header_b64, payload_b64, signature = token.split('.')

  message = f'{header_b64}.{payload_b64}'.encode()
  expected_signature = sign(message)

  if not hmac.compare_digest(signature, expected_signature):
    raise Exception('Invalid signature')

  return json.loads(base64url_decode(payload_b64))


payload = jwt_decode(token)

In [38]:
payload = {
    'sub': 1,
    'iat': 123
}

token = jwt_encode(payload)
token

payload_recovered = jwt_decode(token)

payload_recovered == payload

'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJzdWIiOiAxLCAiaWF0IjogMTIzfQ.Py0J5r_M4SFbkEXe6i7w3dU-tmsS0Vq4QdHv5KdyGNM'

True

In [39]:
base64url_encode(b'a')
base64url_encode(b'aa')
base64url_encode(b'aaa')

'YQ'

'YWE'

'YWFh'

In [40]:
encoded = base64.urlsafe_b64encode(b'a').rstrip(b'=').decode()
r = len(encoded) % 4
r

if r > 0:
  encoded += '='*(4-r)

encoded

2

'YQ=='