Add JWTPayload(dict) for extended verification #322
Conversation
1 similar comment
sirosen
force-pushed
the
jwt-payload-object
branch
from
b8d257a
to
2e8c10e
Compare
2 similar comments
sirosen
force-pushed
the
jwt-payload-object
branch
from
2e8c10e
to
87370b4
Compare
1 similar comment
|
@mark-adams, I'm wondering if I could impose upon you to review this? If you'd much prefer the alternative path, in which callbacks are passed to Apologies if this seems pushy/impatient -- I just want some solution so that I can clean out some items from my backlog. It's not a Big Deal ™️ . |
The JWTPayload class allows PyJWT.decode() to expose header, signature, signing_input, and compute_hash_digest() (based on header) without changing the pyjwt API in a breaking way. Merely making this info accessible to the client without specifying an additional verification callback scheme is simpler for everyone. Include doc on why JWTPayload is a good idea in a module docstring, since it's a little unusual to subclass `dict`. The intent is to make the JWT payload change as little as possible while still making it easy to add more verification after the fact. Add a simple test for `JWTPayload.compute_hash_digest()` and a test for compute_hash_digest with cryptography (which is compared against a manual hashlib usage). Closes jpadilla#314, jpadilla#295
sirosen
force-pushed
the
jwt-payload-object
branch
from
bf622c6
to
e3222ad
Compare
|
Just rebased. All tests passed on my local tox except for |
|
I just started poking around here for the first time in a long time because the build system is clearly in a bad state. Looks like the whole GitHub Actions setup is stale: pyjwt/.github/workflows/main.yml Line 29 in 008490a However, that led me to notice that pyjwt is dropping py2.7 support. Is the next release going to be v2.0? I don't recall much about this change, but I know for sure that I only built it this way (subclassing dict, which is pretty weird) to remain backwards compatible. I'd have to take more time to reread, but I think I'd remove the dict inheritance if I were planning on a change for 2.0. It's much nicer, as an interface, if it's a special-purpose object with whatever attributes are wanted. You can implement |
|
OK will look into it soon |
|
Realistically, this is not going to happen. 2.0 would have been the appropriate time to convert the return value to a custom mapping type which could support additional methods or attributes. It's fine that this isn't being taken as an approach, but it would have been nice to get some response on the issues I filed. |
The JWTPayload class allows PyJWT.decode() to expose header, signature, signing_input, and compute_hash_digest() (based on header) without changing the pyjwt API in a breaking way.
Merely making this info accessible to the client (without specify an additional verification callback scheme) is simpler for everyone.
The intent is to make the JWT payload change as little as possible while still making it easy to add more verification after the fact.
More exposition on the options, and why I chose this, visible in #314 and the docstrings.
Add a simple test for
JWTPayload.compute_hash_digest()Closes #314, #295
I'm doing this primarily to satisfy a real need in my application to resolve #295 in a way that isn't a hack.