From 0788efb65653d3e97805f00784a59dc3314856d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joakim=20S=C3=B8rensen?= Date: Thu, 16 May 2024 11:08:33 +0200 Subject: [PATCH] Validate iat as int (#252) * Only validate that iat is an int * Restore previous * not --- pycognito/__init__.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pycognito/__init__.py b/pycognito/__init__.py index b6a52ef6..bd28318a 100644 --- a/pycognito/__init__.py +++ b/pycognito/__init__.py @@ -260,6 +260,7 @@ def verify_token(self, token, id_name, token_use): issuer=self.user_pool_url, options={ "require": required_claims, + "verify_iat": False, }, ) except jwt.PyJWTError as err: @@ -274,6 +275,14 @@ def verify_token(self, token, id_name, token_use): f"Your {id_name!r} token use ({token_use!r}) could not be verified." ) + if (iat := verified.get("iat")) is not None: + try: + int(iat) + except ValueError as execption: + raise TokenVerificationException( + f"Your {id_name!r} token's iat claim is not a valid integer." + ) from execption + # Compute and verify at_hash (formerly done by python-jose) if "at_hash" in verified: alg_obj = jwt.get_algorithm_by_name(header["alg"])