Warn about missing algorithms arg only when verify is True

Since no signature verification will occur, passing in `algorithms` does not make much sense.
jpadilla · Jul 6, 2017 · 4b16fe8 · 4b16fe8
1 parent 74399b1
commit 4b16fe8
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 8 deletions.
diff --git a/jwt/api_jws.py b/jwt/api_jws.py
@@ -118,7 +118,10 @@ def encode(self, payload, key, algorithm='HS256', headers=None,
     def decode(self, jws, key='', verify=True, algorithms=None, options=None,
                **kwargs):
 
-        if not algorithms:
+        merged_options = merge_dict(self.options, options)
+        verify_signature = merged_options['verify_signature']
+
+        if verify_signature and not algorithms:
             warnings.warn(
                 'It is strongly recommended that you pass in a ' +
                 'value for the "algorithms" argument when calling decode(). ' +
@@ -128,15 +131,13 @@ def decode(self, jws, key='', verify=True, algorithms=None, options=None,
 
         payload, signing_input, header, signature = self._load(jws)
 
-        if verify:
-            merged_options = merge_dict(self.options, options)
-            if merged_options.get('verify_signature'):
-                self._verify_signature(payload, signing_input, header, signature,
-                                       key, algorithms)
-        else:
+        if not verify:
             warnings.warn('The verify parameter is deprecated. '
                           'Please use verify_signature in options instead.',
                           DeprecationWarning, stacklevel=2)
+        elif verify_signature:
+            self._verify_signature(payload, signing_input, header, signature,
+                                   key, algorithms)
 
         return payload
 

diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
@@ -59,7 +59,7 @@ def encode(self, payload, key, algorithm='HS256', headers=None,
     def decode(self, jwt, key='', verify=True, algorithms=None, options=None,
                **kwargs):
 
-        if not algorithms:
+        if verify and not algorithms:
             warnings.warn(
                 'It is strongly recommended that you pass in a ' +
                 'value for the "algorithms" argument when calling decode(). ' +

diff --git a/tests/test_api_jws.py b/tests/test_api_jws.py
@@ -275,6 +275,24 @@ def test_decode_with_optional_algorithms(self, jws):
 
         pytest.deprecated_call(jws.decode, example_jws, key=example_secret)
 
+    def test_decode_no_algorithms_verify_signature_false(self, jws):
+        example_secret = 'secret'
+        example_jws = (
+            b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
+            b'aGVsbG8gd29ybGQ.'
+            b'SIr03zM64awWRdPrAM_61QWsZchAtgDV3pphfHPPWkI'
+        )
+
+        try:
+            pytest.deprecated_call(
+                jws.decode, example_jws, key=example_secret,
+                options={'verify_signature': False},
+            )
+        except AssertionError:
+            pass
+        else:
+            assert False, "Unexpected DeprecationWarning raised."
+
     def test_load_no_verification(self, jws, payload):
         right_secret = 'foo'
         jws_message = jws.encode(payload, right_secret)

diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
@@ -482,3 +482,16 @@ def test_decode_with_optional_algorithms(self, jwt, payload):
             jwt_message,
             secret
         )
+
+    def test_decode_no_algorithms_verify_false(self, jwt, payload):
+        secret = 'secret'
+        jwt_message = jwt.encode(payload, secret)
+
+        try:
+            pytest.deprecated_call(
+                jwt.decode, jwt_message, secret, verify=False,
+            )
+        except AssertionError:
+            pass
+        else:
+            assert False, "Unexpected DeprecationWarning raised."