Merge pull request #98 from shenek/present_check

Check presence among claims
mpdavis · Apr 28, 2019 · 739f44f · 739f44f
2 parents c9501b2 + ec4ad99
commit 739f44f
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 0 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -8,6 +8,8 @@ Changelog
 Major
 """""
 
+* Require claim options added.
+  `#98 <https://github.com/mpdavis/python-jose/pull/98>`_
 * Isolate and flesh out cryptographic backends to enable independent operation.
   `#114 <https://github.com/mpdavis/python-jose/issues/114>`_
   `#129 <https://github.com/mpdavis/python-jose/pull/129>`_

diff --git a/jose/jwt.py b/jose/jwt.py
@@ -97,6 +97,14 @@ def decode(token, key, algorithms=None, options=None, audience=None,
                 'verify_sub': True,
                 'verify_jti': True,
                 'verify_at_hash': True,
+                'require_aud': False,
+                'require_iat': False,
+                'require_exp': False,
+                'require_nbf': False,
+                'require_iss': False,
+                'require_sub': False,
+                'require_jti': False,
+                'require_at_hash': False,
                 'leeway': 0,
             }
 
@@ -126,6 +134,14 @@ def decode(token, key, algorithms=None, options=None, audience=None,
         'verify_sub': True,
         'verify_jti': True,
         'verify_at_hash': True,
+        'require_aud': False,
+        'require_iat': False,
+        'require_exp': False,
+        'require_nbf': False,
+        'require_iss': False,
+        'require_sub': False,
+        'require_jti': False,
+        'require_at_hash': False,
         'leeway': 0,
     }
 
@@ -455,6 +471,14 @@ def _validate_claims(claims, audience=None, issuer=None, subject=None,
     if isinstance(leeway, timedelta):
         leeway = timedelta_total_seconds(leeway)
 
+    for require_claim in [
+        e[len("require_"):] for e in options.keys() if e.startswith("require_") and options[e]
+    ]:
+        if require_claim not in claims:
+            raise JWTError('missing required key "%s" among claims' % require_claim)
+        else:
+            options['verify_' + require_claim] = True  # override verify when required
+
     if not isinstance(audience, (string_types, type(None))):
         raise JWTError('audience must be a string or None')
 

diff --git a/tests/test_jwt.py b/tests/test_jwt.py
@@ -579,3 +579,26 @@ def test_unverified_claims_list(self):
     def test_unverified_claims_object(self, claims, key):
         token = jwt.encode(claims, key)
         assert jwt.get_unverified_claims(token) == claims
+
+    @pytest.mark.parametrize(
+        "claim,value", [
+            ("aud", "aud"),
+            ("ait", "ait"),
+            ("exp", datetime.utcnow() + timedelta(seconds=5)),
+            ("nbf", datetime.utcnow() - timedelta(seconds=5)),
+            ("iss", "iss"),
+            ("sub", "sub"),
+            ("jti", "jti"),
+        ]
+    )
+    def test_require(self, claims, key, claim, value):
+        options = {"require_" + claim: True, "verify_" + claim: False}
+
+        token = jwt.encode(claims, key)
+        with pytest.raises(JWTError):
+            jwt.decode(token, key, options=options, audience=str(value))
+
+        new_claims = dict(claims)
+        new_claims[claim] = value
+        token = jwt.encode(new_claims, key)
+        jwt.decode(token, key, options=options, audience=str(value))