Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate the options passed in to jwt.decode #869

Open
samwho opened this issue Mar 14, 2023 · 5 comments
Open

Validate the options passed in to jwt.decode #869

samwho opened this issue Mar 14, 2023 · 5 comments
Labels
keep

Comments

@samwho
Copy link

samwho commented Mar 14, 2023

We recently discovered a bug in our code that wasn't caught by tests because where we do jwt.decode we were supplying an option called "required": [...] instead of "require": [...], and so our JWTs weren't being validated to contain the expected fields.

So the call looked like this:

payload = jwt.decode(
  token,
  key,
  algorithms=algorithms,
  audience=audience,
  options={
    "keys": [...],
    "options": {
      "required": [...], # this should be: "require": [...]
  },
)

pyjwt doesn't complain about this, it continues without doing any checking that fields are present. It would have prevented us some pain if pyjwt raises an error when it receives an option it doesn't recognise.

If the project is willing to integrate this behaviour, I'd be happy to submit a PR making this change. 🙂
@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the stale Issues without activity for more than 60 days label May 14, 2023
@samwho
Copy link
Author

samwho commented May 16, 2023

Bump to remove the "stale" tag :)

@jpadilla jpadilla added keep and removed stale Issues without activity for more than 60 days labels May 16, 2023
@AndriiDubonos
Copy link

Similar happened to our project.
IMO, this is must-have for the library that is related to the security.

I found this PR where kwargs are marked with deprecation and planned to be removed in version 3.0. But more than a year passed from the merge of this PR and version 3.0 is not released yet. Do we have an expected time period when 3.0 will be released?

Until than, at our project, we are forced to make a wrapper around the 'pyjwt.decode` and extensively test all options.

@codespearhead codespearhead mentioned this issue Mar 21, 2024
Closed
@codespearhead codespearhead mentioned this issue Aug 1, 2024
Closed
@codespearhead
Copy link

codespearhead commented Aug 1, 2024
edited
Loading

@AndriiDubonos v2.9.0 has just been relased.

@samwho Here's some starter code for your PR: #969 .

@AndriiDubonos
Copy link

Very nice. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
keep
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve type annotations for the option parameter in decode methods.
4 participants
@jpadilla @samwho @AndriiDubonos @codespearhead