Skip to content

Commit

Permalink
check presence among claims
Browse files Browse the repository at this point in the history
  • Loading branch information
shenek committed Apr 26, 2019
1 parent 1c3c1a6 commit ec4ad99
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ Changelog
Major
"""""

* Require claim options added.
`#98 <https://github.com/mpdavis/python-jose/pull/98>`_
* Isolate and flesh out cryptographic backends to enable independent operation.
`#114 <https://github.com/mpdavis/python-jose/issues/114>`_
`#129 <https://github.com/mpdavis/python-jose/pull/129>`_
Expand Down
24 changes: 24 additions & 0 deletions jose/jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,14 @@ def decode(token, key, algorithms=None, options=None, audience=None,
'verify_sub': True,
'verify_jti': True,
'verify_at_hash': True,
'require_aud': False,
'require_iat': False,
'require_exp': False,
'require_nbf': False,
'require_iss': False,
'require_sub': False,
'require_jti': False,
'require_at_hash': False,
'leeway': 0,
}
Expand Down Expand Up @@ -126,6 +134,14 @@ def decode(token, key, algorithms=None, options=None, audience=None,
'verify_sub': True,
'verify_jti': True,
'verify_at_hash': True,
'require_aud': False,
'require_iat': False,
'require_exp': False,
'require_nbf': False,
'require_iss': False,
'require_sub': False,
'require_jti': False,
'require_at_hash': False,
'leeway': 0,
}

Expand Down Expand Up @@ -455,6 +471,14 @@ def _validate_claims(claims, audience=None, issuer=None, subject=None,
if isinstance(leeway, timedelta):
leeway = timedelta_total_seconds(leeway)

for require_claim in [
e[len("require_"):] for e in options.keys() if e.startswith("require_") and options[e]
]:
if require_claim not in claims:
raise JWTError('missing required key "%s" among claims' % require_claim)
else:
options['verify_' + require_claim] = True # override verify when required

if not isinstance(audience, (string_types, type(None))):
raise JWTError('audience must be a string or None')

Expand Down
23 changes: 23 additions & 0 deletions tests/test_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -579,3 +579,26 @@ def test_unverified_claims_list(self):
def test_unverified_claims_object(self, claims, key):
token = jwt.encode(claims, key)
assert jwt.get_unverified_claims(token) == claims

@pytest.mark.parametrize(
"claim,value", [
("aud", "aud"),
("ait", "ait"),
("exp", datetime.utcnow() + timedelta(seconds=5)),
("nbf", datetime.utcnow() - timedelta(seconds=5)),
("iss", "iss"),
("sub", "sub"),
("jti", "jti"),
]
)
def test_require(self, claims, key, claim, value):
options = {"require_" + claim: True, "verify_" + claim: False}

token = jwt.encode(claims, key)
with pytest.raises(JWTError):
jwt.decode(token, key, options=options, audience=str(value))

new_claims = dict(claims)
new_claims[claim] = value
token = jwt.encode(new_claims, key)
jwt.decode(token, key, options=options, audience=str(value))

0 comments on commit ec4ad99

Please sign in to comment.