-
Notifications
You must be signed in to change notification settings - Fork 672
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove verify from jwt.decode() to follow PyJWT v2.2.0. #472
Conversation
Seems to not work either way |
@Andrew-Chen-Wang Sorry for bothering you. Since this was very easy and small fix, I skipped checking the tests. In the latest PyJWT (v2.2.0), In my development environment, all of the tests succeed without any problem. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! No bother. I'm in class rn, but do you mind checking PyJWK has the same args? I'm aware PyJWT got rid of the **kwargs
, for several things, so a double check that aud, leeway, and iss, can be passed to PyJWK is ok. IIRC, if the token is PyJWK, then those args are just missing.
PyJWS does not have the same arguments. aud, leeway, and iss are used only in PyJWT and PyJWS does nothing for the aud, leeway and iss ( because aud, iss and exp/nbf/iat(leeway) are "JWT" claims). So you don't need to care about that. |
I shouldn;t have convinced by your breaking change. that should have done in v3.0. |
@dajiaji since we're passing all those args in |
There is no need to worry. This simplejwt does not call PyJW"S" decode() directly except for the test that I modified and PyJW"S".decode() is called only in PyJW"T".decode() with correct arguments. No unexpected arguments will be passed to the PyJW"S".decode(). @auvipy I think it is better to revert the breaking change once (and release v2.2.1) too. But anyway, this PR is useful for the future v3.0.0 release. |
as already reverted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool thanks so much @dajiaji !
I agree, the PR will at least prevent any more breaking features for 3.0.0 upgrade.
@Andrew-Chen-Wang will you release a version of this PR? |
@felippem yes. If possible, can you create a PR for the CHANGELOG (I can't approve my own PRs). Try to match the style; if you can't, it's alright since I can fix it by editing your branch; I just need a PR. |
@Andrew-Chen-Wang Done: #476 |
* Remove verify from jwt.decode() to follow PyJWT v2.2.0. (jazzband#472) * Fix test not to overwrite PyJWT.decode with PyJWS.decode. Co-authored-by: Andrew Chen Wang <[email protected]> * Add support to python 3.10 Co-authored-by: Ajitomi Daisuke <[email protected]> Co-authored-by: Andrew Chen Wang <[email protected]> Co-authored-by: Jair Henrique <[email protected]>
According to the setup.py, simplejwt supports PyJWT v2.0.0 or later.
djangorestframework-simplejwt/setup.py
Line 59 in 7759aa8
In this case, you can simply remove meaningless
verify
argument fromjwt.decode()
to support PyJWT v2.2.0.Closes #467