diff options
author | Ajitomi, Daisuke <ajitomi@gmail.com> | 2021-07-30 22:00:54 +0900 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-30 09:00:54 -0400 |
commit | c8ab900b831c4e859620c964d25737bf95d5eeb8 (patch) | |
tree | a06f33c273152af0405bac5f1cc24b2be37460f7 | |
parent | a629ecd73221f12402066ccc4a13f04a7c856792 (diff) | |
download | pyjwt-c8ab900b831c4e859620c964d25737bf95d5eeb8.tar.gz |
Fix aud validation to support {'aud': null} case. (#670)
* Fix aud validation to support {'aud': null} case.
* Fix aud validation to support {'aud': null} case.
-rw-r--r-- | CHANGELOG.rst | 2 | ||||
-rw-r--r-- | jwt/api_jwt.py | 15 | ||||
-rw-r--r-- | tests/test_api_jwt.py | 19 |
3 files changed, 28 insertions, 8 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b138569..763822a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -13,6 +13,8 @@ Changed Fixed ~~~~~ +- Fix aud validation to support {'aud': null} case. `#670 <https://github.com/jpadilla/pyjwt/pull/670>`__ + Added ~~~~~ diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py index 70a5e53..55a8f29 100644 --- a/jwt/api_jwt.py +++ b/jwt/api_jwt.py @@ -177,19 +177,18 @@ class PyJWT: raise ExpiredSignatureError("Signature has expired") def _validate_aud(self, payload, audience): - if audience is None and "aud" not in payload: - return + if audience is None: + if "aud" not in payload or not payload["aud"]: + return + # Application did not specify an audience, but + # the token has the 'aud' claim + raise InvalidAudienceError("Invalid audience") - if audience is not None and "aud" not in payload: + if "aud" not in payload or not payload["aud"]: # Application specified an audience, but it could not be # verified since the token does not contain a claim. raise MissingRequiredClaimError("aud") - if audience is None and "aud" in payload: - # Application did not specify an audience, but - # the token has the 'aud' claim - raise InvalidAudienceError("Invalid audience") - audience_claims = payload["aud"] if isinstance(audience_claims, str): diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py index 56de90c..1faa05f 100644 --- a/tests/test_api_jwt.py +++ b/tests/test_api_jwt.py @@ -202,6 +202,16 @@ class TestJWT: with pytest.raises(DecodeError): jwt.decode(example_jwt, "secret", algorithms=["HS256"]) + def test_decode_raises_exception_if_aud_is_none(self, jwt): + # >>> jwt.encode({'aud': None}, 'secret') + example_jwt = ( + "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9." + "eyJhdWQiOm51bGx9." + "-Peqc-pTugGvrc5C8Bnl0-X1V_5fv-aVb_7y7nGBVvQ" + ) + decoded = jwt.decode(example_jwt, "secret", algorithms=["HS256"]) + assert decoded["aud"] is None + def test_encode_datetime(self, jwt): secret = "secret" current_datetime = datetime.utcnow() @@ -413,6 +423,15 @@ class TestJWT: assert exc.value.claim == "aud" + def test_raise_exception_token_with_aud_none_and_without_audience(self, jwt): + payload = {"some": "payload", "aud": None} + token = jwt.encode(payload, "secret") + + with pytest.raises(MissingRequiredClaimError) as exc: + jwt.decode(token, "secret", audience="urn:me", algorithms=["HS256"]) + + assert exc.value.claim == "aud" + def test_check_issuer_when_valid(self, jwt): issuer = "urn:foo" payload = {"some": "payload", "iss": "urn:foo"} |