Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

algorithm parameter must be specified as "none" instead of None #1022

Open
alexburuiana opened this issue Nov 29, 2024 · 7 comments
Open

algorithm parameter must be specified as "none" instead of None #1022

alexburuiana opened this issue Nov 29, 2024 · 7 comments

Comments

@alexburuiana
Copy link

alexburuiana commented Nov 29, 2024
edited
Loading

There was a change in the 2.10.0 update where passing None to the algorithm parameter in jwt.encode() would result in the algoritm_ class member being set to "HS256" instead of "none".

File: jwt/api_jws.py:118-124

Expected Result

I have a test where I run something like:

def test_token():
    token= jwt.encode({"some": "payload"}, key=None, algorithm=None)

    ...

    with pytest.raises(InvalidTokenException):
        use_the_token({"access_token": token})

This test used to pass with pyjwt version 2.9.0.

Actual Result

After the update to 2.10.0 this test fails.

After investigating, I found that pyjwt sets the algorithm to "HS256" when I set it to None, where before it was set to "none". This means I need to specify algorithm="none" for the test to pass.

Conclusion

I think this change from jwt.encode(..., algorithm=None) to jwt.encode(..., algorithm="none") is a lot less intuitive. If HS256 is going to be a default that's applied when algorithm is specified as None, I think this should also be documented.
@qqii
Copy link

qqii commented Nov 29, 2024

This seems to come from #979.

@qqii
Copy link

qqii commented Nov 29, 2024

This change was documented as part of v2.10.0 in the changelog: https://github.com/jpadilla/pyjwt/blob/3ebbb22f30f2b1b41727b269a08b427e9a85d6bb/CHANGELOG.rst#v2100

@rayluo
Copy link
Contributor

rayluo commented Dec 5, 2024

After the update to 2.10.0 this test fails.

After investigating, I found that pyjwt sets the algorithm to "HS256" when I set it to None, where before it was set to "none". This means I need to specify algorithm="none" for the test to pass.

I ran into the same issue. This is effectively a breaking change that should have been shipped with a major version bump.

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 4, 2025

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the stale Issues without activity for more than 60 days label Feb 4, 2025
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Feb 11, 2025
@auvipy auvipy reopened this Feb 11, 2025
@auvipy auvipy removed the stale Issues without activity for more than 60 days label Feb 11, 2025
@auvipy
Copy link
Collaborator

auvipy commented Feb 11, 2025

contributions are welcome to fix this

@kbehlers
Copy link

@auvipy The original implementation had a sentinel value of sorts but that was discouraged here #979 (comment).

Would fixing this issue make a revert of 4c61e92 viable as a solution?

@auvipy
Copy link
Collaborator

auvipy commented Feb 13, 2025

you can come with a draft PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rayluo @auvipy @qqii @kbehlers @alexburuiana