Skip to content

Commit

Permalink
Merge pull request #217 from alphagov/SW-restrict-pyjwt-version
Browse files Browse the repository at this point in the history
Handle PyJWT 2.6.0 ImmatureSignatureError
  • Loading branch information
samuelhwilliams authored Oct 21, 2022
2 parents 840f4bc + b394b38 commit f7314b5
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 3 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 6.4.1

* Fix authentication when using PyJWT 2.6.0 - which now more strictly validates tokens with `iat` in the future.

## 6.4.0

* Added support for `confirm_email_before_download` and `retention_period` security features for sending files by email.
Expand Down
2 changes: 1 addition & 1 deletion notifications_python_client/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
#
# -- http://semver.org/

__version__ = '6.4.0'
__version__ = '6.4.1'

from notifications_python_client.errors import ( # noqa
REQUEST_ERROR_MESSAGE,
Expand Down
6 changes: 5 additions & 1 deletion notifications_python_client/authentication.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@
__type__ = "JWT"
__bound__ = 30

INVALID_FUTURE_TOKEN_ERROR_MESSAGE = "Token can not be in the future"


def create_jwt_token(secret, client_id):
"""
Expand Down Expand Up @@ -104,6 +106,8 @@ def decode_jwt_token(token, secret):
return validate_jwt_token(decoded_token)
except jwt.InvalidIssuedAtError:
raise TokenExpiredError("Token has invalid iat field", decode_token(token))
except jwt.ImmatureSignatureError:
raise TokenExpiredError(INVALID_FUTURE_TOKEN_ERROR_MESSAGE, decode_token(token))
except jwt.DecodeError:
raise TokenDecodeError
except jwt.InvalidAlgorithmError:
Expand Down Expand Up @@ -131,7 +135,7 @@ def validate_jwt_token(decoded_token):
if now > (iat + __bound__):
raise TokenExpiredError("Token has expired", decoded_token)
if iat > (now + __bound__):
raise TokenExpiredError("Token can not be in the future", decoded_token)
raise TokenExpiredError(INVALID_FUTURE_TOKEN_ERROR_MESSAGE, decoded_token)

return True

Expand Down
1 change: 0 additions & 1 deletion tests/notifications_python_client/test_authentication.py
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,6 @@ def test_token_should_fail_to_decode_if_wrong_key():

@pytest.mark.parametrize('exception_class', [
jwt.InvalidAudienceError,
jwt.ImmatureSignatureError,
jwt.InvalidIssuerError,
jwt.ExpiredSignatureError,
Expand Down

0 comments on commit f7314b5

Please sign in to comment.