From e4ea2f4fdb6135b7d964abecdfa8c4dbc5bb0e58 Mon Sep 17 00:00:00 2001
From: Aarni Koskela <akx@iki.fi>
Date: Wed, 30 Mar 2022 10:22:37 +0300
Subject: [PATCH] Don't mutate options dictionary in .decode_complete()

Fixes #679
---
 jwt/api_jwt.py        | 6 ++----
 tests/test_api_jwt.py | 8 ++++++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
index c9d34a5f6..22c84637a 100644
--- a/jwt/api_jwt.py
+++ b/jwt/api_jwt.py
@@ -70,10 +70,8 @@ def decode_complete(
         options: Optional[Dict] = None,
         **kwargs,
     ) -> Dict[str, Any]:
-        if options is None:
-            options = {"verify_signature": True}
-        else:
-            options.setdefault("verify_signature", True)
+        options = dict(options or {})  # shallow-copy or initialize an empty dict
+        options.setdefault("verify_signature", True)
 
         if not options["verify_signature"]:
             options.setdefault("verify_exp", False)
diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
index fa3167a41..ad22d84d4 100644
--- a/tests/test_api_jwt.py
+++ b/tests/test_api_jwt.py
@@ -658,3 +658,11 @@ def test_decode_no_algorithms_verify_signature_false(self, jwt, payload):
         jwt_message = jwt.encode(payload, secret)
 
         jwt.decode(jwt_message, secret, options={"verify_signature": False})
+
+    def test_decode_no_options_mutation(self, jwt, payload):
+        options = {"verify_signature": True}
+        orig_options = options.copy()
+        secret = "secret"
+        jwt_message = jwt.encode(payload, secret)
+        jwt.decode(jwt_message, secret, options=options, algorithms=["HS256"])
+        assert options == orig_options