Skip to content
This repository was archived by the owner on Nov 13, 2023. It is now read-only.

Commit aa63614

Browse files
davedoesdevdavedoesdev
committed
Breaking API change: verify_jwt expects allowed_algs now (defaults to empty list)
1 parent 8a2c72b commit aa63614

24 files changed

Lines changed: 385 additions & 338 deletions

.travis.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
language: python
22
python:
33
- "2.7"
4+
- "3.4"
45
node_js:
56
- "0.12"
67
before_install:

README.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,11 @@
22

33
Module for generating and verifying [JSON Web Tokens](http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html).
44

5+
- **Note:** Versions 1.0.0 and later fix [a vulnerability](https://www.timmclean.net/2015/02/25/jwt-alg-none.html) in JSON Web Token verification so please upgrade if you're using this functionality. The API has changed so you will need to update your application. [verify_jwt](http://githubraw.herokuapp.com/davedoesdev/python-jwt/master/docs/_build/html/index.html#jwt.verify_jwt) now requires you to specify which signature algorithms are allowed.
56
- Uses [python-jws](https://github.com/brianloveswords/python-jws) to do the heavy lifting.
67
- Supports [__RS256__, __RS384__, __RS512__](http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-3.3), [__PS256__, __PS384__, __PS512__](http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-3.5), [__HS256__, __HS384__, __HS512__](http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-3.2) and [__none__](http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-3.6) signature algorithms.
78
- Unit tests, including tests for interoperability with [node-jsjws](https://github.com/davedoesdev/node-jsjws).
8-
- Does _not_ support Python 3 (gated on [python-jws support for Python 3](https://github.com/brianloveswords/python-jws/issues/14)).
9-
- **Note:** Versions 0.3.5 and later fix [a vulnerability](https://www.timmclean.net/2015/02/25/jwt-alg-none.html) in JSON Web Token verification so please upgrade if you're using this functionality. [verify_jwt](http://githubraw.herokuapp.com/davedoesdev/python-jwt/master/docs/_build/html/index.html#jwt.verify_jwt) no longer accepts unsigned tokens when you supply a key and supports specifying which signature algorithms are allowed.
9+
- Tentative support for Python 3.4. Although the examples below work, the unit tests are blocked on [PyVows](https://github.com/heynemann/pyvows/issues/23) and [gevent](https://github.com/gevent/gevent/issues/38) support for Python 3.4. **Note:** [verify_jwt](http://githubraw.herokuapp.com/davedoesdev/python-jwt/master/docs/_build/html/index.html#jwt.verify_jwt) now returns the token as a Unicode string, even on Python 2.7.
1010

1111
Example:
1212

@@ -15,7 +15,7 @@ import jwt, Crypto.PublicKey.RSA as RSA, datetime
1515
key = RSA.generate(2048)
1616
payload = { 'foo': 'bar', 'wup': 90 };
1717
token = jwt.generate_jwt(payload, key, 'PS256', datetime.timedelta(minutes=5))
18-
header, claims = jwt.verify_jwt(token, key)
18+
header, claims = jwt.verify_jwt(token, key, ['PS256'])
1919
for k in payload: assert claims[k] == payload[k]
2020
```
2121

@@ -41,7 +41,7 @@ payload = { 'foo': 'bar', 'wup': 90 };
4141
priv_key = RSA.importKey(priv_pem)
4242
pub_key = RSA.importKey(pub_pem)
4343
token = jwt.generate_jwt(payload, priv_key, 'RS256', datetime.timedelta(minutes=5))
44-
header, claims = jwt.verify_jwt(token, pub_key)
44+
header, claims = jwt.verify_jwt(token, pub_key, ['RS256'])
4545
for k in payload: assert claims[k] == payload[k]
4646
```
4747

README.rst

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,13 @@
33
Module for generating and verifying `JSON Web
44
Tokens <http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html>`__.
55

6+
- **Note:** Versions 1.0.0 and later fix `a
7+
vulnerability <https://www.timmclean.net/2015/02/25/jwt-alg-none.html>`__
8+
in JSON Web Token verification so please upgrade if you're using this
9+
functionality. The API has changed so you will need to update your
10+
application.
11+
`verify\_jwt <http://githubraw.herokuapp.com/davedoesdev/python-jwt/master/docs/_build/html/index.html#jwt.verify_jwt>`__
12+
now requires you to specify which signature algorithms are allowed.
613
- Uses `python-jws <https://github.com/brianloveswords/python-jws>`__
714
to do the heavy lifting.
815
- Supports `**RS256**, **RS384**,
@@ -16,15 +23,13 @@ Tokens <http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html>`__.
1623
signature algorithms.
1724
- Unit tests, including tests for interoperability with
1825
`node-jsjws <https://github.com/davedoesdev/node-jsjws>`__.
19-
- Does *not* support Python 3 (gated on `python-jws support for Python
20-
3 <https://github.com/brianloveswords/python-jws/issues/14>`__).
21-
- **Note:** Versions 0.3.5 and later fix `a
22-
vulnerability <https://www.timmclean.net/2015/02/25/jwt-alg-none.html>`__
23-
in JSON Web Token verification so please upgrade if you're using this
24-
functionality.
26+
- Tentative support for Python 3.4. Although the examples below work,
27+
the unit tests are blocked on
28+
`PyVows <https://github.com/heynemann/pyvows/issues/23>`__ and
29+
`gevent <https://github.com/gevent/gevent/issues/38>`__ support for
30+
Python 3.4. **Note:**
2531
`verify\_jwt <http://githubraw.herokuapp.com/davedoesdev/python-jwt/master/docs/_build/html/index.html#jwt.verify_jwt>`__
26-
no longer accepts unsigned tokens when you supply a key and supports
27-
specifying which signature algorithms are allowed.
32+
now returns the token as a Unicode string, even on Python 2.7.
2833

2934
Example:
3035

@@ -34,7 +39,7 @@ Example:
3439
key = RSA.generate(2048)
3540
payload = { 'foo': 'bar', 'wup': 90 };
3641
token = jwt.generate_jwt(payload, key, 'PS256', datetime.timedelta(minutes=5))
37-
header, claims = jwt.verify_jwt(token, key)
42+
header, claims = jwt.verify_jwt(token, key, ['PS256'])
3843
for k in payload: assert claims[k] == payload[k]
3944
4045
The API is described
@@ -63,7 +68,7 @@ You can read and write keys from and to
6368
priv_key = RSA.importKey(priv_pem)
6469
pub_key = RSA.importKey(pub_pem)
6570
token = jwt.generate_jwt(payload, priv_key, 'RS256', datetime.timedelta(minutes=5))
66-
header, claims = jwt.verify_jwt(token, pub_key)
71+
header, claims = jwt.verify_jwt(token, pub_key, ['RS256'])
6772
for k in payload: assert claims[k] == payload[k]
6873
6974
Licence

bench/reporter.py

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -22,19 +22,19 @@ def write_results(self, value, results):
2222
if hasattr(r, "user_mean") and \
2323
hasattr(r, "system_mean") and \
2424
hasattr(r, "wall_mean"):
25-
self.stream.write("{0}|{1:,}|{2:,}|{3:,}\n".format(r.name, \
26-
long(r.user_mean * 10**9), \
27-
long(r.system_mean * 10**9), \
28-
long(r.wall_mean * 10**9)))
25+
self.stream.write("{0}|{1:,.0f}|{2:,.0f}|{3:,.0f}\n".format(r.name, \
26+
r.user_mean * 10**9, \
27+
r.system_mean * 10**9, \
28+
r.wall_mean * 10**9))
2929
else:
3030
self.stream.write("{0:<20}{1:>15}{2:>15}{3:>15}\n".format(value, "user (ns)", "sys (ns)", "real (ns)"))
3131
self.stream.write("=" * 65 + "\n")
3232
for r in results:
3333
if hasattr(r, "user_mean") and \
3434
hasattr(r, "system_mean") and \
3535
hasattr(r, "wall_mean"):
36-
self.stream.write("{0:<20} {1:>14,} {2:>14,} {3:>14,}\n".format(r.name, \
37-
long(r.user_mean * 10**9), \
38-
long(r.system_mean * 10**9), \
39-
long(r.wall_mean * 10**9)))
36+
self.stream.write("{0:<20} {1:>14,.0f} {2:>14,.0f} {3:>14,.0f}\n".format(r.name, \
37+
r.user_mean * 10**9, \
38+
r.system_mean * 10**9, \
39+
r.wall_mean * 10**9))
4040
self.stream.write("\n")

bench/verify_token_bench.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ def make_bench_verify_token(alg):
2727
def f(_):
2828
""" Verify token """
2929
pubk = pub_keys[alg].get('default', pub_key)
30-
jwt.verify_jwt(token, pubk)
30+
jwt.verify_jwt(token, pubk, [alg])
3131
return f
3232

3333
for alg in algs:

bento.info

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
Name: python_jwt
2-
Version: 0.3.8
2+
Version: 1.0.0
33
Summary: Module for generating and verifying JSON Web Tokens
44
DescriptionFromFile: README.rst
55
Url: https://github.com/davedoesdev/python-jwt

coverage/coverage.xml

Lines changed: 41 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
<?xml version="1.0" ?>
22
<!DOCTYPE coverage
33
SYSTEM 'http://cobertura.sourceforge.net/xml/coverage-03.dtd'>
4-
<coverage branch-rate="0.7045" line-rate="0.8767" timestamp="1426027217120" version="3.7.1">
4+
<coverage branch-rate="0.7" line-rate="0.8857" timestamp="1426147017724" version="3.7.1">
55
<!-- Generated by coverage.py: http://nedbatchelder.com/code/coverage -->
66
<packages>
7-
<package branch-rate="0.7045" complexity="0" line-rate="0.8767" name="">
7+
<package branch-rate="0.7" complexity="0" line-rate="0.8857" name="">
88
<classes>
9-
<class branch-rate="0.7045" complexity="0" filename="jwt/__init__.py" line-rate="0.8767" name="jwt/__init__">
9+
<class branch-rate="0.7" complexity="0" filename="jwt/__init__.py" line-rate="0.8857" name="jwt/__init__">
1010
<methods/>
1111
<lines>
1212
<line hits="1" number="5"/>
@@ -30,58 +30,55 @@
3030
<line hits="1" number="70"/>
3131
<line hits="1" number="72"/>
3232
<line hits="1" number="80"/>
33-
<line hits="1" number="118"/>
33+
<line hits="1" number="117"/>
34+
<line hits="1" number="119"/>
3435
<line hits="1" number="120"/>
3536
<line hits="1" number="121"/>
36-
<line hits="1" number="122"/>
37-
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="124"/>
38-
<line hits="1" number="125"/>
39-
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="126"/>
40-
<line hits="0" number="127"/>
41-
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="128"/>
42-
<line hits="1" number="129"/>
43-
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="131"/>
44-
<line hits="1" number="132"/>
45-
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="133"/>
46-
<line hits="0" number="134"/>
47-
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="135"/>
48-
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="136"/>
37+
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="123"/>
38+
<line hits="1" number="124"/>
39+
<line hits="1" number="126"/>
40+
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="127"/>
41+
<line hits="0" number="128"/>
42+
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="129"/>
43+
<line hits="1" number="130"/>
44+
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="132"/>
45+
<line hits="1" number="133"/>
46+
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="134"/>
47+
<line hits="1" number="135"/>
4948
<line hits="1" number="137"/>
49+
<line hits="1" number="138"/>
5050
<line hits="1" number="140"/>
51-
<line hits="1" number="142"/>
51+
<line hits="1" number="141"/>
5252
<line hits="1" number="143"/>
53-
<line hits="1" number="145"/>
54-
<line hits="1" number="146"/>
55-
<line hits="1" number="148"/>
56-
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="149"/>
57-
<line branch="true" condition-coverage="0% (0/2)" hits="0" number="150"/>
58-
<line hits="0" number="151"/>
59-
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="152"/>
53+
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="144"/>
54+
<line branch="true" condition-coverage="0% (0/2)" hits="0" number="145"/>
55+
<line hits="0" number="146"/>
56+
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="147"/>
57+
<line hits="0" number="148"/>
58+
<line hits="1" number="150"/>
59+
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="151"/>
60+
<line branch="true" condition-coverage="0% (0/2)" hits="0" number="152"/>
6061
<line hits="0" number="153"/>
62+
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="154"/>
6163
<line hits="1" number="155"/>
62-
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="156"/>
63-
<line branch="true" condition-coverage="0% (0/2)" hits="0" number="157"/>
64-
<line hits="0" number="158"/>
64+
<line hits="1" number="157"/>
65+
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="158"/>
6566
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="159"/>
6667
<line hits="1" number="160"/>
68+
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="161"/>
6769
<line hits="1" number="162"/>
68-
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="163"/>
69-
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="164"/>
70-
<line hits="1" number="165"/>
71-
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="166"/>
72-
<line hits="1" number="167"/>
70+
<line hits="1" number="164"/>
71+
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="165"/>
72+
<line branch="true" condition-coverage="0% (0/2)" hits="0" number="166"/>
73+
<line hits="0" number="167"/>
74+
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="168"/>
7375
<line hits="1" number="169"/>
74-
<line branch="true" condition-coverage="50% (1/2)" hits="1" number="170"/>
75-
<line branch="true" condition-coverage="0% (0/2)" hits="0" number="171"/>
76-
<line hits="0" number="172"/>
77-
<line branch="true" condition-coverage="100% (2/2)" hits="1" number="173"/>
78-
<line hits="1" number="174"/>
79-
<line hits="1" number="176"/>
80-
<line hits="1" number="180"/>
81-
<line hits="1" number="192"/>
82-
<line hits="1" number="193"/>
83-
<line hits="1" number="194"/>
84-
<line hits="1" number="195"/>
76+
<line hits="1" number="171"/>
77+
<line hits="1" number="175"/>
78+
<line hits="1" number="187"/>
79+
<line hits="1" number="188"/>
80+
<line hits="1" number="189"/>
81+
<line hits="1" number="190"/>
8582
</lines>
8683
</class>
8784
</classes>

coverage/html/index.html

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
<div id='header'>
1919
<div class='content'>
2020
<h1>Coverage report:
21-
<span class='pc_cov'>81%</span>
21+
<span class='pc_cov'>82%</span>
2222
</h1>
2323
<img id='keyboard_icon' src='keybd_closed.png'>
2424
</div>
@@ -62,28 +62,28 @@ <h1>Coverage report:
6262
<tfoot>
6363
<tr class='total'>
6464
<td class='name left'>Total</td>
65-
<td>73</td>
66-
<td>9</td>
65+
<td>70</td>
66+
<td>8</td>
6767
<td>0</td>
6868

69-
<td>44</td>
70-
<td>7</td>
69+
<td>40</td>
70+
<td>6</td>
7171

72-
<td class='right'>81%</td>
72+
<td class='right'>82%</td>
7373
</tr>
7474
</tfoot>
7575
<tbody>
7676

7777
<tr class='file'>
7878
<td class='name left'><a href='jwt___init__.html'>jwt/__init__</a></td>
79-
<td>73</td>
80-
<td>9</td>
79+
<td>70</td>
80+
<td>8</td>
8181
<td>0</td>
8282

83-
<td>44</td>
84-
<td>7</td>
83+
<td>40</td>
84+
<td>6</td>
8585

86-
<td class='right'>81%</td>
86+
<td class='right'>82%</td>
8787
</tr>
8888

8989
</tbody>

0 commit comments

Comments
 (0)