chore: update all libs to latest versions and fix jws conflict

Latest crypto library update introduced a change that this fixes as well. Closes #453
mozilla-services · May 13, 2016 · 450904d · 450904d
1 parent 4d1e64e
commit 450904d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/autopush/tests/test_endpoint.py b/autopush/tests/test_endpoint.py
@@ -797,7 +797,7 @@ def test_post_webpush_with_vapid_auth(self):
 
             kd2 = utils.base64url_decode(crypto_key)
             vk2 = ecdsa.VerifyingKey.from_string(kd2, curve=ecdsa.NIST256p)
-            res = jws.verify(token, vk2, algorithms=["ES256"])
+            res = json.loads(jws.verify(token, vk2, algorithms=["ES256"]))
             eq_(res, payload)
         """
         self.request_mock.headers["crypto-key"] = \

diff --git a/autopush/utils.py b/autopush/utils.py
@@ -2,6 +2,7 @@
 import base64
 import hashlib
 import hmac
+import json
 import socket
 import uuid
 
@@ -115,7 +116,11 @@ def extract_jwt(token, crypto_key):
 
     key = decipher_public_key(crypto_key)
     vk = ecdsa.VerifyingKey.from_string(key, curve=ecdsa.NIST256p)
-    return jws.verify(token, vk, algorithms=["ES256"])
+    # jose offers jwt.decode(token, vk, ...) which does a full check
+    # on the JWT object. Vapid is a bit more creative in how it
+    # stores data into a JWT and breaks expectations. We would have to
+    # turn off most of the validation in order for it to be useful.
+    return json.loads(jws.verify(token, vk, algorithms=["ES256"]))
 
 
 class ErrorLogger(object):