From 5ac2c84331f4a970ab21989d6cfad5fe523c2219 Mon Sep 17 00:00:00 2001 From: Jeremy Epstein Date: Tue, 23 Nov 2021 17:25:43 +1100 Subject: [PATCH 1/4] Allow None for JTI_CLAIM and TOKEN_TYPE_CLAIM This is the only way I could get it working with an Auth0 JWT, which has neither 'jti' nor 'token_type'. --- rest_framework_simplejwt/tokens.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/rest_framework_simplejwt/tokens.py b/rest_framework_simplejwt/tokens.py index 75ff573ea..276a1bf9e 100644 --- a/rest_framework_simplejwt/tokens.py +++ b/rest_framework_simplejwt/tokens.py @@ -94,10 +94,14 @@ def verify(self): self.check_exp() # Ensure token id is present - if api_settings.JTI_CLAIM not in self.payload: + if ( + api_settings.JTI_CLAIM is not None + and api_settings.JTI_CLAIM not in self.payload + ): raise TokenError(_('Token has no id')) - self.verify_token_type() + if api_settings.TOKEN_TYPE_CLAIM is not None: + self.verify_token_type() def verify_token_type(self): """ @@ -181,9 +185,9 @@ def for_user(cls, user): token[api_settings.USER_ID_CLAIM] = user_id return token - + _token_backend = None - + def get_token_backend(self): if self._token_backend is None: self._token_backend = import_string( From 13847c1e4462b226aa141930c54709a74f8e3ebd Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Sat, 26 Feb 2022 19:04:32 +0000 Subject: [PATCH 2/4] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- rest_framework_simplejwt/tokens.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rest_framework_simplejwt/tokens.py b/rest_framework_simplejwt/tokens.py index d76b03458..4d22b0dbd 100644 --- a/rest_framework_simplejwt/tokens.py +++ b/rest_framework_simplejwt/tokens.py @@ -97,7 +97,7 @@ def verify(self): api_settings.JTI_CLAIM is not None and api_settings.JTI_CLAIM not in self.payload ): - raise TokenError(_('Token has no id')) + raise TokenError(_("Token has no id")) if api_settings.TOKEN_TYPE_CLAIM is not None: self.verify_token_type() From 60b8138c69b4ac9785aec335d04fd4fe0395c3f0 Mon Sep 17 00:00:00 2001 From: Dennis Dinwiddie Date: Mon, 2 May 2022 16:28:04 -0400 Subject: [PATCH 3/4] add test cases and comments --- rest_framework_simplejwt/tokens.py | 5 ++++- tests/test_tokens.py | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/rest_framework_simplejwt/tokens.py b/rest_framework_simplejwt/tokens.py index 4d22b0dbd..cdd6f624e 100644 --- a/rest_framework_simplejwt/tokens.py +++ b/rest_framework_simplejwt/tokens.py @@ -92,7 +92,9 @@ def verify(self): # claim. We don't want any zombie tokens walking around. self.check_exp() - # Ensure token id is present + # If the defaults are not None then we should enforce the + # requirement of these settings.As above, the spec labels + # these as optional. if ( api_settings.JTI_CLAIM is not None and api_settings.JTI_CLAIM not in self.payload @@ -100,6 +102,7 @@ def verify(self): raise TokenError(_("Token has no id")) if api_settings.TOKEN_TYPE_CLAIM is not None: + self.verify_token_type() def verify_token_type(self): diff --git a/tests/test_tokens.py b/tests/test_tokens.py index 1472fdbb0..b3815e406 100644 --- a/tests/test_tokens.py +++ b/tests/test_tokens.py @@ -225,6 +225,16 @@ def test_set_jti(self): self.assertIn("jti", token) self.assertNotEqual(old_jti, token["jti"]) + def test_optional_jti(self): + with override_api_settings(JTI_CLAIM=None): + token = MyToken() + self.assertNotIn("jti", token) + + def test_optional_type_token(self): + with override_api_settings(TOKEN_TYPE_CLAIM=None): + token = MyToken() + self.assertNotIn("type", token) + def test_set_exp(self): now = make_utc(datetime(year=2000, month=1, day=1)) From d60d4a2c9ca0c33b33b9424e19ec2da36f4f39bf Mon Sep 17 00:00:00 2001 From: Dennis Dinwiddie Date: Tue, 3 May 2022 10:55:25 -0400 Subject: [PATCH 4/4] sort with black --- rest_framework_simplejwt/tokens.py | 4 ++-- tests/test_tokens.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rest_framework_simplejwt/tokens.py b/rest_framework_simplejwt/tokens.py index cdd6f624e..12f489ba4 100644 --- a/rest_framework_simplejwt/tokens.py +++ b/rest_framework_simplejwt/tokens.py @@ -92,8 +92,8 @@ def verify(self): # claim. We don't want any zombie tokens walking around. self.check_exp() - # If the defaults are not None then we should enforce the - # requirement of these settings.As above, the spec labels + # If the defaults are not None then we should enforce the + # requirement of these settings.As above, the spec labels # these as optional. if ( api_settings.JTI_CLAIM is not None diff --git a/tests/test_tokens.py b/tests/test_tokens.py index b3815e406..ab65b5acc 100644 --- a/tests/test_tokens.py +++ b/tests/test_tokens.py @@ -234,7 +234,7 @@ def test_optional_type_token(self): with override_api_settings(TOKEN_TYPE_CLAIM=None): token = MyToken() self.assertNotIn("type", token) - + def test_set_exp(self): now = make_utc(datetime(year=2000, month=1, day=1))