Commits on Jul 23, 2020

1. Improve 'none' algorithm handling …

   when decoding a valid token with `algorithm: none`, unless explicitly
   requesting not to verify the token, it could not be validated and raised
   DecodeError with a message about insufficient segments.
   
   This error message is misleading, because there are the correct number
   of segments provided for that algorithm.
   
   With this change, when a token with `algorithm: none` is provided:
   * if the caller requests verification && does not specify `none` as an
     algorithm (default behaviour) it now raises `IncorrectAlgorithm`,
     which is a subclass of `DecodeError` to make the issue more clear.
     This is technically a minor change, but should not be breaking -
     it is returning a subclass, so the same rescues will still work. The
     message provided will be different.
   
   * if the caller requests verification && specifies `none` as an allowed
     algorithm, it verifies the claims and decodes the token as it would
     for a valid, signed token.
     This is new behaviour supporting claims verification for 'none' which
     was not previously available and is only "accessed" through explicit
     settings
   
   * if the caller explicitly requests no verification, the token is
     decoded without checking anything (no change in behaviour)

   

   danleyden committed Jul 23, 2020
   Copy the full SHA

   205fc26 View commit details

   Browse the repository at this point in the history