diff options
author | Przemysław Suliga <mail@suligap.net> | 2017-08-28 13:25:34 +0200 |
---|---|---|
committer | Mark Adams <mark@markadams.me> | 2017-08-31 10:00:29 -0500 |
commit | 608ed4a948e305cd1953ce93ab42094a046c0372 (patch) | |
tree | 60b46915e7e4326c26501c888cdf4b140b15246c | |
parent | 3def8d80eb3936dbcead07e86b6aee96ba07bfe9 (diff) | |
download | pyjwt-608ed4a948e305cd1953ce93ab42094a046c0372.tar.gz |
Warn about missing algorithms arg only when verify is True
Since no signature verification will occur, passing in `algorithms` does
not make much sense.
-rw-r--r-- | CHANGELOG.md | 6 | ||||
-rw-r--r-- | jwt/api_jws.py | 15 | ||||
-rw-r--r-- | jwt/api_jwt.py | 2 | ||||
-rw-r--r-- | tests/test_api_jws.py | 18 | ||||
-rw-r--r-- | tests/test_api_jwt.py | 13 |
5 files changed, 46 insertions, 8 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 78b2da0..b4e2fbc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,9 +7,14 @@ This project adheres to [Semantic Versioning](http://semver.org/). [Unreleased][unreleased] ------------------------------------------------------------------------- ### Changed + - Increase required version of the cryptography package to >=1.4.0. + ### Fixed + - Remove uses of deprecated functions from the cryptography package. +- Warn about missing `algorithms` param to `decode()` only when `verify` param is `True` [#281][281] + ### Added [v1.5.2][1.5.2] @@ -187,4 +192,5 @@ rarely used. Users affected by this should upgrade to 3.3+. [270]: https://github.com/jpadilla/pyjwt/pull/270 [271]: https://github.com/jpadilla/pyjwt/pull/271 [277]: https://github.com/jpadilla/pyjwt/pull/277 +[281]: https://github.com/jpadilla/pyjwt/pull/281 [7c1e61d]: https://github.com/jpadilla/pyjwt/commit/7c1e61dde27bafe16e7d1bb6e35199e778962742 diff --git a/jwt/api_jws.py b/jwt/api_jws.py index 2842258..223b22b 100644 --- a/jwt/api_jws.py +++ b/jwt/api_jws.py @@ -118,7 +118,10 @@ class PyJWS(object): def decode(self, jws, key='', verify=True, algorithms=None, options=None, **kwargs): - if not algorithms: + merged_options = merge_dict(self.options, options) + verify_signature = merged_options['verify_signature'] + + if verify_signature and not algorithms: warnings.warn( 'It is strongly recommended that you pass in a ' + 'value for the "algorithms" argument when calling decode(). ' + @@ -128,15 +131,13 @@ class PyJWS(object): payload, signing_input, header, signature = self._load(jws) - if verify: - merged_options = merge_dict(self.options, options) - if merged_options.get('verify_signature'): - self._verify_signature(payload, signing_input, header, signature, - key, algorithms) - else: + if not verify: warnings.warn('The verify parameter is deprecated. ' 'Please use verify_signature in options instead.', DeprecationWarning, stacklevel=2) + elif verify_signature: + self._verify_signature(payload, signing_input, header, signature, + key, algorithms) return payload diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py index 589fa3a..9e20141 100644 --- a/jwt/api_jwt.py +++ b/jwt/api_jwt.py @@ -59,7 +59,7 @@ class PyJWT(PyJWS): def decode(self, jwt, key='', verify=True, algorithms=None, options=None, **kwargs): - if not algorithms: + if verify and not algorithms: warnings.warn( 'It is strongly recommended that you pass in a ' + 'value for the "algorithms" argument when calling decode(). ' + diff --git a/tests/test_api_jws.py b/tests/test_api_jws.py index c90fda2..4e440bd 100644 --- a/tests/test_api_jws.py +++ b/tests/test_api_jws.py @@ -275,6 +275,24 @@ class TestJWS: pytest.deprecated_call(jws.decode, example_jws, key=example_secret) + def test_decode_no_algorithms_verify_signature_false(self, jws): + example_secret = 'secret' + example_jws = ( + b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.' + b'aGVsbG8gd29ybGQ.' + b'SIr03zM64awWRdPrAM_61QWsZchAtgDV3pphfHPPWkI' + ) + + try: + pytest.deprecated_call( + jws.decode, example_jws, key=example_secret, + options={'verify_signature': False}, + ) + except AssertionError: + pass + else: + assert False, "Unexpected DeprecationWarning raised." + def test_load_no_verification(self, jws, payload): right_secret = 'foo' jws_message = jws.encode(payload, right_secret) diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py index 798e4b7..8ce3f2c 100644 --- a/tests/test_api_jwt.py +++ b/tests/test_api_jwt.py @@ -482,3 +482,16 @@ class TestJWT: jwt_message, secret ) + + def test_decode_no_algorithms_verify_false(self, jwt, payload): + secret = 'secret' + jwt_message = jwt.encode(payload, secret) + + try: + pytest.deprecated_call( + jwt.decode, jwt_message, secret, verify=False, + ) + except AssertionError: + pass + else: + assert False, "Unexpected DeprecationWarning raised." |