diff options
| author | Mark Adams <mark@markadams.me> | 2017-04-17 08:54:13 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-04-17 08:54:13 -0500 |
| commit | ce7f9293e998fa7a01f612b9193a05f17167de1e (patch) | |
| tree | d435cb09b5aa15580527b0d41b6d9e32d3f6fc4b | |
| parent | ceff941c705f6e745688a181f917f06e8706413e (diff) | |
| parent | 3447f0c0eb7de46042b5cda975d37e361168bf60 (diff) | |
| download | pyjwt-ce7f9293e998fa7a01f612b9193a05f17167de1e.tar.gz | |
Merge pull request #252 from jpadilla/190-remove-iat-verification
Remove rejection of future 'iat' claims
| -rw-r--r-- | CHANGELOG.md | 4 | ||||
| -rw-r--r-- | docs/usage.rst | 3 | ||||
| -rw-r--r-- | jwt/api_jwt.py | 8 | ||||
| -rw-r--r-- | tests/test_api_jwt.py | 9 |
4 files changed, 8 insertions, 16 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 060876c..a84f2bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,9 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Add support for ECDSA public keys in RFC 4253 (OpenSSH) format [#244][244] - Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the script clobbering the `jwt` module in some circumstances. - Better error messages when using an algorithm that requires the cryptography package, but it isn't available [#230][230] +- Tokens with future 'iat' values are no longer rejected [#190][190] +- Non-numeric 'iat' values now raise InvalidIssuedAtError instead of DecodeError + ### Fixed @@ -129,5 +132,6 @@ rarely used. Users affected by this should upgrade to 3.3+. [174]: https://github.com/jpadilla/pyjwt/pull/174 [182]: https://github.com/jpadilla/pyjwt/pull/182 [183]: https://github.com/jpadilla/pyjwt/pull/183 +[190]: https://github.com/jpadilla/pyjwt/pull/190 [213]: https://github.com/jpadilla/pyjwt/pull/214 [244]: https://github.com/jpadilla/pyjwt/pull/244 diff --git a/docs/usage.rst b/docs/usage.rst index c2e286c..a485a94 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -180,8 +180,7 @@ Issued At Claim (iat) This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL. -If the `iat` claim is in the future, an `jwt.InvalidIssuedAtError` exception -will be raised. + If the `iat` claim is not a number, an `jwt.InvalidIssuedAtError` exception will be raised. .. code-block:: python diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py index 9703b8d..bca6823 100644 --- a/jwt/api_jwt.py +++ b/jwt/api_jwt.py @@ -121,13 +121,9 @@ class PyJWT(PyJWS): def _validate_iat(self, payload, now, leeway): try: - iat = int(payload['iat']) + int(payload['iat']) except ValueError: - raise DecodeError('Issued At claim (iat) must be an integer.') - - if iat > (now + leeway): - raise InvalidIssuedAtError('Issued At claim (iat) cannot be in' - ' the future.') + raise InvalidIssuedAtError('Issued At claim (iat) must be an integer.') def _validate_nbf(self, payload, now, leeway): try: diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py index 211f0df..61de6e0 100644 --- a/tests/test_api_jwt.py +++ b/tests/test_api_jwt.py @@ -142,7 +142,7 @@ class TestJWT: 'eyJpYXQiOiJub3QtYW4taW50In0.' 'H1GmcQgSySa5LOKYbzGm--b1OmRbHFkyk8pq811FzZM') - with pytest.raises(DecodeError): + with pytest.raises(InvalidIssuedAtError): jwt.decode(example_jwt, 'secret') def test_decode_raises_exception_if_nbf_is_not_int(self, jwt): @@ -154,13 +154,6 @@ class TestJWT: with pytest.raises(DecodeError): jwt.decode(example_jwt, 'secret') - def test_decode_raises_exception_if_iat_in_the_future(self, jwt): - now = datetime.utcnow() - token = jwt.encode({'iat': now + timedelta(days=1)}, key='secret') - - with pytest.raises(InvalidIssuedAtError): - jwt.decode(token, 'secret') - def test_encode_datetime(self, jwt): secret = 'secret' current_datetime = datetime.utcnow() |