Add warning when decoding with no algorithms specified

jpadilla · Jun 22, 2017 · 11f30c4 · 11f30c4
1 parent 37926ea
commit 11f30c4
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 0 deletions.
diff --git a/jwt/api_jws.py b/jwt/api_jws.py
@@ -117,6 +117,15 @@ def encode(self, payload, key, algorithm='HS256', headers=None,
 
     def decode(self, jws, key='', verify=True, algorithms=None, options=None,
                **kwargs):
+
+        if not algorithms:
+            warnings.warn(
+                'It is strongly recommended that you pass in a ' +
+                'value for the "algorithms" argument when calling decode(). ' +
+                'This argument will be mandatory in a future version.',
+                DeprecationWarning
+            )
+
         payload, signing_input, header, signature = self._load(jws)
 
         if verify:

diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
@@ -58,6 +58,15 @@ def encode(self, payload, key, algorithm='HS256', headers=None,
 
     def decode(self, jwt, key='', verify=True, algorithms=None, options=None,
                **kwargs):
+
+        if not algorithms:
+            warnings.warn(
+                'It is strongly recommended that you pass in a ' +
+                'value for the "algorithms" argument when calling decode(). ' +
+                'This argument will be mandatory in a future version.',
+                DeprecationWarning
+            )
+
         payload, signing_input, header, signature = self._load(jwt)
 
         if options is None:

diff --git a/tests/test_api_jws.py b/tests/test_api_jws.py
@@ -265,6 +265,16 @@ def test_verify_false_deprecated(self, jws, recwarn):
 
         pytest.deprecated_call(jws.decode, example_jws, verify=False)
 
+    def test_decode_with_optional_algorithms(self, jws):
+        example_secret = 'secret'
+        example_jws = (
+            b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
+            b'aGVsbG8gd29ybGQ.'
+            b'SIr03zM64awWRdPrAM_61QWsZchAtgDV3pphfHPPWkI'
+        )
+
+        pytest.deprecated_call(jws.decode, example_jws, key=example_secret)
+
     def test_load_no_verification(self, jws, payload):
         right_secret = 'foo'
         jws_message = jws.encode(payload, right_secret)

diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
@@ -472,3 +472,13 @@ def test_decode_with_verify_expiration_kwarg(self, jwt, payload):
                 secret,
                 verify_expiration=True
             )
+
+    def test_decode_with_optional_algorithms(self, jwt, payload):
+        secret = 'secret'
+        jwt_message = jwt.encode(payload, secret)
+
+        pytest.deprecated_call(
+            jwt.decode,
+            jwt_message,
+            secret
+        )