Emit a deprecation warning for unsupported kwargs #776

sirosen · 2022-07-03T22:11:44Z

This is half of #258. It cannot be completed without a breaking release, but the API should be reconsidered at that time because it doesn't make a ton of sense for validation-specific arguments like leeway to be presented as args to decode().

**kwargs usages cannot be removed without breaking backwards compatibility. Unsupported kwargs cannot even be rejected without breaking compatibility.

However, this does not mean that the library cannot identify and warn when unsupported arguments are used. The warning behavior simply has to be separated from any removal of **kwargs.

All legitimate **kwargs usages have been replaced with explicit arguments. Any other arguments will be captured under **kwargs and trigger the deprecation warnings. In the cases of decode() -> decode_complete() passthrough, the passthrough has been removed to avoid duplicate deprecation warnings on a single usage.

This makes a very subtle behavioral change to **kwargs only for the case of a subclass of PyJWT or PyJWS. Extra arguments used by a specialized subclass won't pass through transparently anymore. In such a case the subclass author has multiple resolutions available, including reimplementation of the decode() method to passthrough the additional argument. Although technically backwards-incompatible for a niche subclassing usage, this behavior is very nearly identical and shouldn't pose an issue for the vast majority of pyjwt users.

The deprecation warning does not cover all deprecated usages. In particular, several passthrough arguments for claim validation should probably be made available via options and later removed. The arguments in need of attention now have inline comments in the signature definitions, but are otherwise left unmodified, leaving current usages correct and valid.

auvipy

there are some conflicts in a file

`**kwargs` usages cannot be removed without breaking backwards compatibility. Unsupported kwargs cannot even be rejected without breaking compatibility. However, this does not mean that the library cannot identify and warn when unsupported arguments are used. The warning behavior simply has to be separated from any removal of `**kwargs`. All legitimate `**kwargs` usages have been replaced with explicit arguments. Any other arguments will be captured under `**kwargs` and trigger the deprecation warnings. In the cases of `decode() -> decode_complete()` passthrough, the passthrough has been removed to avoid duplicate deprecation warnings on a single usage. This makes a very subtle behavioral change to `**kwargs` *only* for the case of a subclass of PyJWT or PyJWS. Extra arguments used by a specialized subclass won't pass through transparently anymore. In such a case the subclass author has multiple resolutions available, including reimplementation of the `decode()` method to passthrough the additional argument. Although technically backwards-incompatible for a niche subclassing usage, this behavior is very nearly identical and shouldn't pose an issue for the vast majority of pyjwt users. The deprecation warning does not cover all deprecated usages. In particular, several passthrough arguments for claim validation should probably be made available via `options` and later removed. The arguments in need of attention now have inline comments in the signature definitions, but are otherwise left unmodified, leaving current usages correct and valid.

sirosen · 2022-07-04T17:44:22Z

The conflict was just changelog lines for the Unreleased section. I've resolved with a rebase.

@DaGuich

@DaGuich

4745: Update pyjwt requirement from ~=2.5.0 to ~=2.6.0 r=jenshnielsen a=dependabot[bot] Updates the requirements on [pyjwt](https://github.com/jpadilla/pyjwt) to permit the latest version. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's changelog</a>.</em></p> <blockquote> <h2><code>v2.6.0 <https://github.com/jpadilla/pyjwt/compare/2.5.0...2.6.0></code>__</h2> <p>Changed</p> <pre><code> - bump up cryptography >= 3.4.0 by `@jpadilla` in `[#807](jpadilla/pyjwt#807) <https://github.com/jpadilla/pyjwt/pull/807>`_ - Remove `types-cryptography` from `crypto` extra by `@lautat` in `[#805](jpadilla/pyjwt#805) <https://github.com/jpadilla/pyjwt/pull/805>`_ <p>Fixed</p> <pre><code> - Invalidate token on the exact second the token expires `[#797](jpadilla/pyjwt#797) &lt;https://github.com/jpadilla/pyjwt/pull/797&gt;`_ - fix: version 2.5.0 heading typo by `@c0state` in `[#803](jpadilla/pyjwt#803) &lt;https://github.com/jpadilla/pyjwt/pull/803&gt;`_ Added </code></pre> <ul> <li>Adding validation for <code>issued_at</code> when <code>iat &gt; (now + leeway)</code> as <code>ImmatureSignatureError</code> by <a href="https://github.com/sriharan16"><code>`@sriharan16</code></a>` in <a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/pull/794">jpadilla/pyjwt#794</a></li> </ul> <h2><code>v2.5.0 &lt;https://github.com/jpadilla/pyjwt/compare/2.4.0...2.5.0&gt;</code>__</h2> <p>Changed </code></pre></p> <ul> <li>Skip keys with incompatible alg when loading JWKSet by <a href="https://github.com/DaGuich"><code>`@DaGuich</code></a>` in <code>[#762](jpadilla/pyjwt#762) <https://github.com/jpadilla/pyjwt/pull/762></code>__</li> <li>Remove support for python3.6 by <a href="https://github.com/sirosen"><code>`@sirosen</code></a>` in <code>[#777](jpadilla/pyjwt#777) <https://github.com/jpadilla/pyjwt/pull/777></code>__</li> <li>Emit a deprecation warning for unsupported kwargs by <a href="https://github.com/sirosen"><code>`@sirosen</code></a>` in <code>[#776](jpadilla/pyjwt#776) <https://github.com/jpadilla/pyjwt/pull/776></code>__</li> <li>Remove redundant wheel dep from pyproject.toml by <a href="https://github.com/mgorny"><code>`@mgorny</code></a>` in <code>[#765](jpadilla/pyjwt#765) <https://github.com/jpadilla/pyjwt/pull/765></code>__</li> <li>Do not fail when an unusable key occurs by <a href="https://github.com/DaGuich"><code>`@DaGuich</code></a>` in <code>[#762](jpadilla/pyjwt#762) <https://github.com/jpadilla/pyjwt/pull/762></code>__</li> <li>Update audience typing by <a href="https://github.com/JulianMaurin"><code>`@JulianMaurin</code></a>` in <code>[#782](jpadilla/pyjwt#782) <https://github.com/jpadilla/pyjwt/pull/782></code>__</li> <li>Improve PyJWKSet error accuracy by <a href="https://github.com/JulianMaurin"><code>`@JulianMaurin</code></a>` in <code>[#786](jpadilla/pyjwt#786) <https://github.com/jpadilla/pyjwt/pull/786></code>__</li> <li>Mypy as pre-commit check + api_jws typing by <a href="https://github.com/JulianMaurin"><code>`@JulianMaurin</code></a>` in <code>[#787](jpadilla/pyjwt#787) <https://github.com/jpadilla/pyjwt/pull/787></code>__</li> </ul> <p>Fixed</p> <pre><code> - Adjust expected exceptions in option merging tests for PyPy3 by `@mgorny` in `[#763](jpadilla/pyjwt#763) <https://github.com/jpadilla/pyjwt/pull/763>`__ - Fixes for pyright on strict mode by `@brandon-leapyear` in `[#747](jpadilla/pyjwt#747) <https://github.com/jpadilla/pyjwt/pull/747>`__ - docs: fix simple typo, iinstance -> isinstance by `@timgates42` in `[#774](jpadilla/pyjwt#774) <https://github.com/jpadilla/pyjwt/pull/774>`__ - Fix typo: priot -> prior by `@jdufresne` in `[#780](jpadilla/pyjwt#780) <https://github.com/jpadilla/pyjwt/pull/780>`__ - Fix for headers disorder issue by `@kadabusha` in `[#721](jpadilla/pyjwt#721) <https://github.com/jpadilla/pyjwt/pull/721>`__ <p>Added </code></pre></p> <ul> <li>Add to_jwk static method to ECAlgorithm by <a href="https://github.com/leonsmith"><code>`@leonsmith</code></a>` in <code>[#732](jpadilla/pyjwt#732) <https://github.com/jpadilla/pyjwt/pull/732></code>__</li> <li>Expose get_algorithm_by_name as new method by <a href="https://github.com/sirosen"><code>`@sirosen</code></a>` in <code>[#773](jpadilla/pyjwt#773) <https://github.com/jpadilla/pyjwt/pull/773></code>__</li> <li>Add type hints to jwt/help.py and add missing types dependency by <a href="https://github.com/kkirsche"><code>`@kkirsche</code></a>` in <code>[#784](jpadilla/pyjwt#784) <https://github.com/jpadilla/pyjwt/pull/784></code>__</li> <li>Add cacheing functionality for JWK set by <a href="https://github.com/wuhaoyujerry"><code>`@wuhaoyujerry</code></a>` in <code>[#781](jpadilla/pyjwt#781) <https://github.com/jpadilla/pyjwt/pull/781></code>__</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/jpadilla/pyjwt/commits">compare view</a></li> </ul> </details> <br /> You can trigger a rebase of this PR by commenting ``@dependabot` rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - ``@dependabot` rebase` will rebase this PR - ``@dependabot` recreate` will recreate this PR, overwriting any edits that have been made to it - ``@dependabot` merge` will merge this PR after your CI passes on it - ``@dependabot` squash and merge` will squash and merge this PR after your CI passes on it - ``@dependabot` cancel merge` will cancel a previously requested merge and block automerging - ``@dependabot` reopen` will reopen this PR if it is closed - ``@dependabot` close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - ``@dependabot` ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - ``@dependabot` ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - ``@dependabot` ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> 4746: Update pandas requirement from ~=1.5.0 to ~=1.5.1 r=jenshnielsen a=dependabot[bot] Updates the requirements on [pandas](https://github.com/pandas-dev/pandas) to permit the latest version. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pandas-dev/pandas/releases">pandas's releases</a>.</em></p> <blockquote> <h2>Pandas 1.5.1</h2> <p>This is a patch release in the 1.5.x series and includes some regression and bug fixes. We recommend that all users upgrade to this version.</p> <p>See the <a href="https://pandas.pydata.org/pandas-docs/version/1.5.1/whatsnew/v1.5.1.html">full whatsnew</a> for a list of all the changes.</p> <p>The release will be available on the defaults and conda-forge channels:</p> <pre><code>conda install pandas </code></pre> <p>Or via PyPI:</p> <pre><code>python3 -m pip install --upgrade pandas </code></pre> <p>Please report any issues with the release on the <a href="https://github.com/pandas-dev/pandas/issues">pandas issue tracker</a>.</p> <p>Thanks to all the contributors who made this release possible.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pandas-dev/pandas/commit/91111fd99898d9dcaa6bf6bedb662db4108da6e6"><code>91111fd</code></a> RLS: 1.5.1</li> <li><a href="https://github.com/pandas-dev/pandas/commit/72863856504a4e906fc603f9e4624f251b614828"><code>7286385</code></a> Backport PR <a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/49162">#49162</a> on branch 1.5.x (PERF: Fix performance regression for isin...</li> <li><a href="https://github.com/pandas-dev/pandas/commit/8429c50a279ba953514d1ca4d4a2bcef5e23ecc9"><code>8429c50</code></a> Backport PR <a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/49140">#49140</a> on branch 1.5.x (Revert "PERF: faster corrwith method for ...</li> <li><a href="https://github.com/pandas-dev/pandas/commit/5b036c1c35890c44531f796f5dca92796276b2b5"><code>5b036c1</code></a> Backport PR <a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/49137">#49137</a> on branch 1.5.x (WEB/DOC: Fix typo in OVH name) (<a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/49138">#49138</a>)</li> <li><a href="https://github.com/pandas-dev/pandas/commit/ea971acb948d16e284a38292cd615a5eb7c055ab"><code>ea971ac</code></a> Backport PR <a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/48770">#48770</a> on branch 1.5.x (added sytle in stylesheet for <blockquote...</li> <li><a href="https://github.com/pandas-dev/pandas/commit/27717a20061aaedda0d3e5de8461835e952c49f3"><code>27717a2</code></a> Backport PR <a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/49080">#49080</a> on branch 1.5.x (REGR: midx.values resetting freq of under...</li> <li><a href="https://github.com/pandas-dev/pandas/commit/c58f2057b8c8a7fa79654c45a83c963c013a3aa3"><code>c58f205</code></a> Backport PR <a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/48457">#48457</a> on branch 1.5.x (TST: Fix unsigned pyarrow types in SIGNED...</li> <li><a href="https://github.com/pandas-dev/pandas/commit/072402b58cbd87c2106413a37213c0b6020e34b1"><code>072402b</code></a> Backport PR <a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/49053">#49053</a> on branch 1.5.x (REVERT caching in find_stack_level) (<a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/49079">#49079</a>)</li> <li><a href="https://github.com/pandas-dev/pandas/commit/f9eebaf9de23aa9c5debdd86524615b22c23025f"><code>f9eebaf</code></a> Backport PR <a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/49072">#49072</a> on branch 1.5.x (BUG: redirect from meeting to community w...</li> <li><a href="https://github.com/pandas-dev/pandas/commit/b8d2f461767e1e2124a08c17be69bf0f847c882e"><code>b8d2f46</code></a> Backport PR <a href="https://github-redirect.dependabot.com/pandas-dev/pandas/issues/49070">#49070</a> on branch 1.5.x (CI: Fix DeprecationWarning of numpy dev) ...</li> <li>Additional commits viewable in <a href="https://github.com/pandas-dev/pandas/compare/v1.5.0...v1.5.1">compare view</a></li> </ul> </details> <br /> You can trigger a rebase of this PR by commenting ``@dependabot` rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - ``@dependabot` rebase` will rebase this PR - ``@dependabot` recreate` will recreate this PR, overwriting any edits that have been made to it - ``@dependabot` merge` will merge this PR after your CI passes on it - ``@dependabot` squash and merge` will squash and merge this PR after your CI passes on it - ``@dependabot` cancel merge` will cancel a previously requested merge and block automerging - ``@dependabot` reopen` will reopen this PR if it is closed - ``@dependabot` close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - ``@dependabot` ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - ``@dependabot` ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - ``@dependabot` ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> 4748: Bump scipy from 1.9.2 to 1.9.3 r=jenshnielsen a=dependabot[bot] Bumps [scipy](https://github.com/scipy/scipy) from 1.9.2 to 1.9.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/scipy/scipy/releases">scipy's releases</a>.</em></p> <blockquote> <h1>SciPy 1.9.3 Release Notes</h1> <p>SciPy <code>1.9.3</code> is a bug-fix release with no new features compared to <code>1.9.2</code>.</p> <h1>Authors</h1> <ul> <li>Jelle Aalbers (1)</li> <li>Peter Bell (1)</li> <li>Jake Bowhay (3)</li> <li>Matthew Brett (3)</li> <li>Evgeni Burovski (5)</li> <li>drpeteb (1) +</li> <li>Sebastian Ehlert (1) +</li> <li>GavinZhang (1) +</li> <li>Ralf Gommers (2)</li> <li>Matt Haberland (15)</li> <li>Lakshaya Inani (1) +</li> <li>Joseph T. Iosue (1)</li> <li>Nathan Jacobi (1) +</li> <li>jmkuebler (1) +</li> <li>Nikita Karetnikov (1) +</li> <li>Lechnio (1) +</li> <li>Nicholas McKibben (1)</li> <li>Andrew Nelson (1)</li> <li>o-alexandre-felipe (1) +</li> <li>Tirth Patel (1)</li> <li>Tyler Reddy (51)</li> <li>Martin Reinecke (1)</li> <li>Marie Roald (1) +</li> <li>Pamphile Roy (2)</li> <li>Eli Schwartz (1)</li> <li>serge-sans-paille (1)</li> <li>ehsan shirvanian (1) +</li> <li>Mamoru TASAKA (1) +</li> <li>Samuel Wallan (1)</li> <li>Warren Weckesser (7)</li> <li>Gavin Zhang (1) +</li> </ul> <p>A total of 31 people contributed to this release. People with a "+" by their names contributed a patch for the first time. This list of names is automatically generated, and may not be fully complete.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/scipy/scipy/commit/de80faf9d3480b9dbb9b888568b64499e0e70c19"><code>de80faf</code></a> REL: set 1.9.3 released [wheel build]</li> <li><a href="https://github.com/scipy/scipy/commit/25e6b901077646cbdaf0a022ff63d55b2c40b114"><code>25e6b90</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/scipy/scipy/issues/17239">#17239</a> from tylerjereddy/treddy_backport_193</li> <li><a href="https://github.com/scipy/scipy/commit/ba33e438f948d5e147755aff0e63f6a01f5bc676"><code>ba33e43</code></a> DOC: update 1.9.3 relnotes</li> <li><a href="https://github.com/scipy/scipy/commit/92d892efaf689c1be970370cd9b33678482fb1fd"><code>92d892e</code></a> MAINT: Handle numpy's deprecation of accepting out-of-bound integers.</li> <li><a href="https://github.com/scipy/scipy/commit/ba5f6daa1d855f43f9f0d19f51386285b2835ce8"><code>ba5f6da</code></a> MAINT: PR 17239 revisions</li> <li><a href="https://github.com/scipy/scipy/commit/381089e753b42c26faf3fb689fc82f7a5c34c422"><code>381089e</code></a> DOC: update 1.9.3 relnotes</li> <li><a href="https://github.com/scipy/scipy/commit/2db3440cfd768009847fb355f3da53fc8c562ea3"><code>2db3440</code></a> BLD: fix invalid shebang for build helper script</li> <li><a href="https://github.com/scipy/scipy/commit/a9a6582a38e23f178ddaed874d1bc65de3313cb2"><code>a9a6582</code></a> DOC: stats.mode: add versionadded tag and correct order of keepdims descripti...</li> <li><a href="https://github.com/scipy/scipy/commit/f4738889bd34d294cfcbd4aaed8c914fe961a0fd"><code>f473888</code></a> BLD: fix issue with incomplete threads dependency handling (<a href="https://github-redirect.dependabot.com/scipy/scipy/issues/17200">#17200</a>)</li> <li><a href="https://github.com/scipy/scipy/commit/5370f15752eef1f62773236704d6339fa4d4e99c"><code>5370f15</code></a> MAINT: update meson.build to make it work on IBM i system (<a href="https://github-redirect.dependabot.com/scipy/scipy/issues/17193">#17193</a>)</li> <li>Additional commits viewable in <a href="https://github.com/scipy/scipy/compare/v1.9.2...v1.9.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=scipy&package-manager=pip&previous-version=1.9.2&new-version=1.9.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting ``@dependabot` rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - ``@dependabot` rebase` will rebase this PR - ``@dependabot` recreate` will recreate this PR, overwriting any edits that have been made to it - ``@dependabot` merge` will merge this PR after your CI passes on it - ``@dependabot` squash and merge` will squash and merge this PR after your CI passes on it - ``@dependabot` cancel merge` will cancel a previously requested merge and block automerging - ``@dependabot` reopen` will reopen this PR if it is closed - ``@dependabot` close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - ``@dependabot` ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - ``@dependabot` ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - ``@dependabot` ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

auvipy requested changes Jul 4, 2022

View reviewed changes

sirosen force-pushed the kwargs-deprecation-warning branch from 8eafb43 to a49b96e Compare July 4, 2022 17:43

auvipy approved these changes Jul 5, 2022

View reviewed changes

auvipy merged commit 581f4e1 into jpadilla:master Jul 5, 2022

sirosen deleted the kwargs-deprecation-warning branch July 5, 2022 11:54

AndriiDubonos mentioned this pull request Sep 15, 2023

Validate the options passed in to jwt.decode #869

Open

ychiucco mentioned this pull request Jan 30, 2024

Fix JWT warning fractal-analytics-platform/fractal-client#607

Merged

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Emit a deprecation warning for unsupported kwargs #776

Emit a deprecation warning for unsupported kwargs #776

sirosen commented Jul 3, 2022

auvipy left a comment

sirosen commented Jul 4, 2022

Emit a deprecation warning for unsupported kwargs #776

Emit a deprecation warning for unsupported kwargs #776

Conversation

sirosen commented Jul 3, 2022

auvipy left a comment

Choose a reason for hiding this comment

sirosen commented Jul 4, 2022