You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We recently discovered a bug in our code that wasn't caught by tests because where we do jwt.decode we were supplying an option called "required": [...] instead of "require": [...], and so our JWTs weren't being validated to contain the expected fields.
So the call looked like this:
payload=jwt.decode(
token,
key,
algorithms=algorithms,
audience=audience,
options={
"keys": [...],
"options": {
"required": [...], # this should be: "require": [...]
},
)
pyjwt doesn't complain about this, it continues without doing any checking that fields are present. It would have prevented us some pain if pyjwt raises an error when it receives an option it doesn't recognise.
If the project is willing to integrate this behaviour, I'd be happy to submit a PR making this change. 🙂
The text was updated successfully, but these errors were encountered:
Similar happened to our project.
IMO, this is must-have for the library that is related to the security.
I found this PR where kwargs are marked with deprecation and planned to be removed in version 3.0. But more than a year passed from the merge of this PR and version 3.0 is not released yet. Do we have an expected time period when 3.0 will be released?
Until than, at our project, we are forced to make a wrapper around the 'pyjwt.decode` and extensively test all options.
We recently discovered a bug in our code that wasn't caught by tests because where we do
jwt.decode
we were supplying an option called"required": [...]
instead of"require": [...]
, and so our JWTs weren't being validated to contain the expected fields.So the call looked like this:
pyjwt
doesn't complain about this, it continues without doing any checking that fields are present. It would have prevented us some pain ifpyjwt
raises an error when it receives an option it doesn't recognise.If the project is willing to integrate this behaviour, I'd be happy to submit a PR making this change. 🙂
The text was updated successfully, but these errors were encountered: