Merge pull request #171 from alexm92/master

Fixed #167 throw InvalidAlgorithmError if alg not in header

2 files changed, 11 insertions, 1 deletions

diff --git a/jwt/api_jws.py b/jwt/api_jws.py
index 13b6214..0c61c7d 100644
--- a/jwt/api_jws.py
+++ b/jwt/api_jws.py
@@ -165,7 +165,7 @@ class PyJWS(object):
     def _verify_signature(self, payload, signing_input, header, signature,
                           key='', algorithms=None):
 
-        alg = header['alg']
+        alg = header.get('alg')
 
         if algorithms is not None and alg not in algorithms:
             raise InvalidAlgorithmError('The specified alg value is not allowed')
diff --git a/tests/test_api_jws.py b/tests/test_api_jws.py
index 9395ae8..9aa8b85 100644
--- a/tests/test_api_jws.py
+++ b/tests/test_api_jws.py
@@ -270,6 +270,16 @@ class TestJWS:
 
         assert 'Signature verification' in str(exc.value)
 
+    def test_verify_signature_with_no_algo_header_throws_exception(self, jws, payload):
+        example_jws = (
+            b'e30'
+            b'.eyJhIjo1fQ'
+            b'.KEh186CjVw_Q8FadjJcaVnE7hO5Z9nHBbU8TgbhHcBY'
+        )
+
+        with pytest.raises(InvalidAlgorithmError):
+            jws.decode(example_jws, 'secret')
+
     def test_invalid_crypto_alg(self, jws, payload):
         with pytest.raises(NotImplementedError):
             jws.encode(payload, 'secret', algorithm='HS1024')