Different lenght of tokens from 0.26 to 2.0.1?

[tyoc213]

Hi there, Im migrating an flask app from 1.0.2 with itsdangerous==0.24 in python 3.6.9... to flask 2.0.1 with itsdangerous 2.0.1 and python 3.9.6.

The problem Im having is that the saved tokens on the old_configuration are from 160 bytes, but in the new_configuration it requires 165 (this value I after seeing the test didn't pass and seeing that the column was not enought big to hold 165 bytes).

And in fact I can switch on my conda environments and execute the same code pointing to same original database size (160) and the old_config works and obviously the new one don't, just switching the conda envs.

But after I can read the old tokens on the new configuration I can think of what to do next...

I hope to write a test case to show the difference, but if for the moment you have any hint on that, it would be helpfull.

Old Environment:

• Python version: 3.6.9
• ItsDangerous version: 0.24
• flask 1.0.2
• DB column of size 160

New environment:

• Python version: 3.9.6
• ItsDangerous version: 1.0.2
• flask 1.0.2
• DB column of size 165

[davidism]

I can't reproduce this issue. I tried the following code with both ItsDangerous 0.24 and 2.0.1 and got the same result. Some things have definitely changed between 0.24 and 2.0.1, so you might have luck using git bisect to identify where your test starts failing.

>>> import itsdangerous
>>> len(itsdangerous.URLSafeTimedSerializer("secret").dumps({"key": "value"}))
55

That said, itsdangerous doesn't produce a constant token size, it will depend on the input. Perhaps your input changed? I'd definitely advise against sized string columns, all modern databases allow omitting the size.

[tyoc213]

@davidism sorry for not being clear about the serializer, with your sample I created this

import itsdangerous

data = itsdangerous.TimedJSONWebSignatureSerializer("secret").dumps({"key": "value"})
print(len(data))

On python 3.9.6 I get 174 and on python 3.6.9 I get 131.

Any hint about how to go about this? so that on 3.9 returns the same as on 3.6?

[tyoc213]

Just going a little furter on this, extended the sample a little to use pyjwt

import sys

print(sys.version, "\n" * 2)
payload = {"key": "value"}
key = "secret"

import itsdangerous
print("itsdangerous")
data = itsdangerous.TimedJSONWebSignatureSerializer(key).dumps(payload)
print(len(data))
print(data)

# install with pyjwt
import jwt
print("\n"*2, "jwt")
enc1 = jwt.encode(payload, key, algorithm='HS256')
print(len(data))
print(data)

which gives

3.9.6 (default, Jul 30 2021, 16:35:19) 
[GCC 7.5.0] 

itsdangerous
174
b'eyJhbGciOiJIUzUxMiIsImlhdCI6MTYyOTQwNjUxNiwiZXhwIjoxNjI5NDEwMTE2fQ.eyJrZXkiOiJ2YWx1ZSJ9.AeTeXBPFmvggvcyg7gtV3P_baaN6ipXCWSnjbK2xqEYWowjemwmTV1fDjT-F7H5gffuqJxosoh-_xQ3pCUQrPQ'

 jwt
174
b'eyJhbGciOiJIUzUxMiIsImlhdCI6MTYyOTQwNjUxNiwiZXhwIjoxNjI5NDEwMTE2fQ.eyJrZXkiOiJ2YWx1ZSJ9.AeTeXBPFmvggvcyg7gtV3P_baaN6ipXCWSnjbK2xqEYWowjemwmTV1fDjT-F7H5gffuqJxosoh-_xQ3pCUQrPQ'

and

3.6.9 |Anaconda, Inc.| (default, Jul 30 2019, 19:07:31) 
[GCC 7.3.0] 


itsdangerous
131
b'eyJhbGciOiJIUzI1NiIsImlhdCI6MTYyOTQwNjY1MywiZXhwIjoxNjI5NDEwMjUzfQ.eyJrZXkiOiJ2YWx1ZSJ9.fsXfeYjsZj8efpo9n6t2CfuxKV6BIdBINX8w1rgMzak'


 jwt
131
b'eyJhbGciOiJIUzI1NiIsImlhdCI6MTYyOTQwNjY1MywiZXhwIjoxNjI5NDEwMjUzfQ.eyJrZXkiOiJ2YWx1ZSJ9.fsXfeYjsZj8efpo9n6t2CfuxKV6BIdBINX8w1rgMzak'

What is happening here? did implementations of HS256 change from 3.6 to 3.9???

Or what Im doing wrong? you think there is a solution for 3.9 to give same result than for 3.6?

[davidism]

Sorry, I can't help you debug this further. It seems like there's something different between 3.6 and 3.9, not an issue with itsdangerous. Additionally, we no longer support JWS, it will be completely removed in 2.1.