From 641dafe012341d270829780a6daa74c6cd5971a7 Mon Sep 17 00:00:00 2001
From: Aarni Koskela <akx@iki.fi>
Date: Wed, 30 Mar 2022 10:22:37 +0300
Subject: [PATCH] Don't mutate options dictionary in .decode_complete()

Fixes #679
---
 jwt/api_jwt.py        | 6 ++----
 tests/test_api_jwt.py | 8 ++++++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
index da9d481b..5e11bc8d 100644
--- a/jwt/api_jwt.py
+++ b/jwt/api_jwt.py
@@ -71,10 +71,8 @@ def decode_complete(
         options: Optional[Dict] = None,
         **kwargs,
     ) -> Dict[str, Any]:
-        if options is None:
-            options = {"verify_signature": True}
-        else:
-            options.setdefault("verify_signature", True)
+        options = dict(options or {})  # shallow-copy or initialize an empty dict
+        options.setdefault("verify_signature", True)
 
         # If the user has set the legacy `verify` argument, and it doesn't match
         # what the relevant `options` entry for the argument is, inform the user
diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
index 57cc4ae1..84e41e0e 100644
--- a/tests/test_api_jwt.py
+++ b/tests/test_api_jwt.py
@@ -674,3 +674,11 @@ def test_decode_legacy_verify_warning(self, jwt, payload):
             jwt.decode(
                 jwt_message, secret, verify=True, options={"verify_signature": False}
             )
+
+    def test_decode_no_options_mutation(self, jwt, payload):
+        options = {"verify_signature": True}
+        orig_options = options.copy()
+        secret = "secret"
+        jwt_message = jwt.encode(payload, secret)
+        jwt.decode(jwt_message, secret, options=options, algorithms=["HS256"])
+        assert options == orig_options