Skip to content

Commit

Permalink
Merge commit from fork
Browse files Browse the repository at this point in the history
This is a bug introduced in version 2.10.0: checking the "iss" claim
changed from `isinstance(issuer, list)` to `isinstance(issuer,
Sequence)`.

```diff
-        if isinstance(issuer, list):
+        if isinstance(issuer, Sequence):
            if payload["iss"] not in issuer:
                raise InvalidIssuerError("Invalid issuer")
        else:
```

Since str is a Sequnce, but not a list, `in` is also used for string
comparison. This results in `if "abc" not in "__abcd__":` being
checked instead of `if "abc" != "__abc__":`.

Co-authored-by: Fabian Badoi <fabian.badoi@gmail.com>
  • Loading branch information
jpadilla and fabianbadoi authored Nov 28, 2024
1 parent 783f324 commit 33022c2
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 3 deletions.
6 changes: 3 additions & 3 deletions jwt/api_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -419,11 +419,11 @@ def _validate_iss(self, payload: dict[str, Any], issuer: Any) -> None:
if "iss" not in payload:
raise MissingRequiredClaimError("iss")

if isinstance(issuer, Sequence):
if payload["iss"] not in issuer:
if isinstance(issuer, str):
if payload["iss"] != issuer:
raise InvalidIssuerError("Invalid issuer")
else:
if payload["iss"] != issuer:
if payload["iss"] not in issuer:
raise InvalidIssuerError("Invalid issuer")


Expand Down
10 changes: 10 additions & 0 deletions tests/test_api_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -464,6 +464,16 @@ def test_raise_exception_token_without_issuer(self, jwt):

assert exc.value.claim == "iss"

def test_rasise_exception_on_partial_issuer_match(self, jwt):
issuer = "urn:expected"

payload = {"iss": "urn:"}

token = jwt.encode(payload, "secret")

with pytest.raises(InvalidIssuerError):
jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"])

def test_raise_exception_token_without_audience(self, jwt):
payload = {"some": "payload"}
token = jwt.encode(payload, "secret")
Expand Down

0 comments on commit 33022c2

Please sign in to comment.