Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update pyjwt to 1.5.3 #4672

Merged
merged 1 commit into from
Nov 8, 2017
Merged

Update pyjwt to 1.5.3 #4672

merged 1 commit into from
Nov 8, 2017

Conversation

pyup-bot
Copy link
Contributor

There's a new version of pyjwt available.
You are currently using 1.4.1. I have updated it to 1.5.3

These links might come in handy: PyPI | Changelog | Repo

Changelog

1.5.3

1.5.2

1.5.01.5.0

Changed

  • Add support for ECDSA public keys in RFC 4253 (OpenSSH) format 244
  • Renamed commandline script jwt to jwt-cli to avoid issues with the script clobbering the jwt module in some circumstances. 187
  • Better error messages when using an algorithm that requires the cryptography package, but it isn't available 230
  • Tokens with future 'iat' values are no longer rejected 190
  • Non-numeric 'iat' values now raise InvalidIssuedAtError instead of DecodeError
  • Remove rejection of future 'iat' claims 252

Fixed

  • Add back 'ES512' for backward compatibility (for now) 225
  • Fix incorrectly named ECDSA algorithm 219
  • Fix rpm build 196

Added

  • Add JWK support for HMAC and RSA keys 202

1.5.1

1.5.0

1.4.21.4.2

Fixed

  • A PEM-formatted key encoded as bytes could cause a TypeError to be raised 213

1.4.11.4.1

Fixed

  • Newer versions of Pytest could not detect warnings properly 182
  • Non-string 'kid' value now raises InvalidTokenError 174
  • jwt.decode(None) now gracefully fails with InvalidTokenError 183

1.4.2

Got merge conflicts? Close this PR and delete the branch. I'll create a new PR for you.

Happy merging! 🤖

@dhwthompson
Copy link
Contributor

I’ve taken a quick peek at the failing builds here, and it looks like all the failures are a result of the change that tokens claiming to be issued in the future (the iat claim) are no longer being rejected as invalid.

Assuming we still want to reject these tokens (which seems sensible), we’re going to need to add an extra check or two into the code before we can merge this.

@seanh seanh self-assigned this Nov 7, 2017
seanh added a commit that referenced this pull request Nov 7, 2017
@seanh
Don't test that JWT's issued in future are invalid
95a2b2d 
Remove two tests that JWT's whose `iat` value claims that they were
issued in the future fail validation.

These two tests fail on newer versions of PyJWT:

#4672

This is because PyJWT no longer raises an exception for future `iat`
times:

jpadilla/pyjwt#190

PyJWT removed this validation because:

- Clock skew can cause one party to generate `iat` times a few seconds
or minutes ahead of another's current time

- The JWT spec (RFC 7519) doesn't say that a JWT with a future `iat`
should be considered invalid, these JWTs are valid

- Other JWT libraries don't do this check
seanh added a commit that referenced this pull request Nov 7, 2017
@seanh
Don't test that JWT's issued in future are invalid
ddec2c4 
Remove two tests that JWT's whose `iat` value claims that they were
issued in the future fail validation.

These two tests fail on newer versions of PyJWT:

#4672

This is because PyJWT no longer raises an exception for future `iat`
times:

jpadilla/pyjwt#190

PyJWT removed this validation because:

- Clock skew can cause one party to generate `iat` times a few seconds
or minutes ahead of another's current time

- The JWT spec (RFC 7519) doesn't say that a JWT with a future `iat`
should be considered invalid, these JWTs are valid

- Other JWT libraries don't do this check
@seanh seanh mentioned this pull request Nov 7, 2017
Merged
@seanh
Copy link
Contributor

seanh commented Nov 7, 2017

I think we should go along with what PyJWT decided (they changed their code to no longer reject future iat times as invalid) and just remove the two failing tests: #4678

@robertknight robertknight force-pushed the pyup-update-pyjwt-1.4.1-to-1.5.3 branch from 8c1aee4 to 4cc12df Compare November 8, 2017 11:01
@robertknight
Copy link
Member

Rebased.

@codecov
Copy link

codecov bot commented Nov 8, 2017
edited
Loading

Codecov Report

Merging #4672 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #4672   +/-   ##
=======================================
  Coverage   96.54%   96.54%           
=======================================
  Files         367      367           
  Lines       20517    20517           
  Branches     1165     1165           
=======================================
  Hits        19809    19809           
  Misses        601      601           
  Partials      107      107

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bd8f6e5...4cc12df. Read the comment docs.

@robertknight robertknight merged commit d3b1daf into master Nov 8, 2017
@robertknight robertknight deleted the pyup-update-pyjwt-1.4.1-to-1.5.3 branch November 8, 2017 11:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@seanh seanh

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pyup-bot @dhwthompson @seanh @robertknight