diff options
author | Mark Adams <mark@markadams.me> | 2017-04-17 08:22:27 -0500 |
---|---|---|
committer | Mark Adams <mark@markadams.me> | 2017-04-17 08:34:04 -0500 |
commit | 8f3a2a8a4098693357b69d63a1dbec514ed7c701 (patch) | |
tree | 757c9103c158153dbd8ca57fb9452d2b09c009e3 | |
parent | ceff941c705f6e745688a181f917f06e8706413e (diff) | |
download | pyjwt-8f3a2a8a4098693357b69d63a1dbec514ed7c701.tar.gz |
Stop rejecting tokens with future 'iat' values
RFC 7519 does not specify or even suggest this type of validation on the
'iat' claim and it has caused issues for several consumers of PyJWT.
This change removes the validation on future 'iat' values and leaves
such things up to the application developer to implement.
Fixes #190.
-rw-r--r-- | CHANGELOG.md | 2 | ||||
-rw-r--r-- | docs/usage.rst | 3 | ||||
-rw-r--r-- | jwt/api_jwt.py | 6 | ||||
-rw-r--r-- | tests/test_api_jwt.py | 7 |
4 files changed, 3 insertions, 15 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 060876c..d377d50 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Add support for ECDSA public keys in RFC 4253 (OpenSSH) format [#244][244] - Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the script clobbering the `jwt` module in some circumstances. - Better error messages when using an algorithm that requires the cryptography package, but it isn't available [#230][230] +- Tokens with future 'iat' values are no longer rejected [#190][190] ### Fixed @@ -129,5 +130,6 @@ rarely used. Users affected by this should upgrade to 3.3+. [174]: https://github.com/jpadilla/pyjwt/pull/174 [182]: https://github.com/jpadilla/pyjwt/pull/182 [183]: https://github.com/jpadilla/pyjwt/pull/183 +[190]: https://github.com/jpadilla/pyjwt/pull/190 [213]: https://github.com/jpadilla/pyjwt/pull/214 [244]: https://github.com/jpadilla/pyjwt/pull/244 diff --git a/docs/usage.rst b/docs/usage.rst index c2e286c..14a2bf7 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -180,9 +180,6 @@ Issued At Claim (iat) This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL. -If the `iat` claim is in the future, an `jwt.InvalidIssuedAtError` exception -will be raised. - .. code-block:: python jwt.encode({'iat': 1371720939}, 'secret') diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py index 9703b8d..059c4a0 100644 --- a/jwt/api_jwt.py +++ b/jwt/api_jwt.py @@ -121,14 +121,10 @@ class PyJWT(PyJWS): def _validate_iat(self, payload, now, leeway): try: - iat = int(payload['iat']) + int(payload['iat']) except ValueError: raise DecodeError('Issued At claim (iat) must be an integer.') - if iat > (now + leeway): - raise InvalidIssuedAtError('Issued At claim (iat) cannot be in' - ' the future.') - def _validate_nbf(self, payload, now, leeway): try: nbf = int(payload['nbf']) diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py index 211f0df..bc9bda8 100644 --- a/tests/test_api_jwt.py +++ b/tests/test_api_jwt.py @@ -154,13 +154,6 @@ class TestJWT: with pytest.raises(DecodeError): jwt.decode(example_jwt, 'secret') - def test_decode_raises_exception_if_iat_in_the_future(self, jwt): - now = datetime.utcnow() - token = jwt.encode({'iat': now + timedelta(days=1)}, key='secret') - - with pytest.raises(InvalidIssuedAtError): - jwt.decode(token, 'secret') - def test_encode_datetime(self, jwt): secret = 'secret' current_datetime = datetime.utcnow() |