-
Notifications
You must be signed in to change notification settings - Fork 537
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update pyjwt to 1.5.0 #5203
Update pyjwt to 1.5.0 #5203
Conversation
Also add a new test for none-number `iat` values.
Summoning @kumar303 and @diox for opinions on this. PyJWT removed validation for future I do see points of both argument-sides but think validating r? |
I don't have a strong opinion regarding future |
If these tests still pass then maybe it's ok? We might do our own I haven't read the discussion but as I recall, protecting against |
# https://github.com/jpadilla/pyjwt/pull/252/ | ||
# `verify_iat` is still in options because pyjwt still validates | ||
# that `iat` is a proper number. | ||
if int(payload['iat']) > (now + api_settings.JWT_LEEWAY): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, I see that you moved it over explicitly. I think that's a good thing to do, at least until we know can assess the usefulness of iat
validation with security folks.
r+
Perfect, thanks for the comments! I'll go ahead and merge this then so we simply keep our current functionality in tact but upgrade to the new version to stay up-to-date. |
There's a new version of PyJWT available.
You are currently using 1.4.2. I have updated it to 1.5.0
These links might come in handy: PyPI | Changelog | Repo
Changelog
Got merge conflicts? Close this PR and delete the branch. I'll create a new PR for you.
Happy merging! 🤖