Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove rejection of future 'iat' claims #252

Merged
merged 2 commits into from
Apr 17, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- Add support for ECDSA public keys in RFC 4253 (OpenSSH) format [#244][244]
- Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the script clobbering the `jwt` module in some circumstances.
- Better error messages when using an algorithm that requires the cryptography package, but it isn't available [#230][230]
- Tokens with future 'iat' values are no longer rejected [#190][190]
- Non-numeric 'iat' values now raise InvalidIssuedAtError instead of DecodeError


### Fixed

Expand Down Expand Up @@ -129,5 +132,6 @@ rarely used. Users affected by this should upgrade to 3.3+.
[174]: https://github.com/jpadilla/pyjwt/pull/174
[182]: https://github.com/jpadilla/pyjwt/pull/182
[183]: https://github.com/jpadilla/pyjwt/pull/183
[190]: https://github.com/jpadilla/pyjwt/pull/190
[213]: https://github.com/jpadilla/pyjwt/pull/214
[244]: https://github.com/jpadilla/pyjwt/pull/244
3 changes: 1 addition & 2 deletions docs/usage.rst
Original file line number Diff line number Diff line change
Expand Up @@ -180,8 +180,7 @@ Issued At Claim (iat)
This claim can be used to determine the age of the JWT. Its value MUST be a
number containing a NumericDate value. Use of this claim is OPTIONAL.

If the `iat` claim is in the future, an `jwt.InvalidIssuedAtError` exception
will be raised.
If the `iat` claim is not a number, an `jwt.InvalidIssuedAtError` exception will be raised.

.. code-block:: python

Expand Down
8 changes: 2 additions & 6 deletions jwt/api_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -121,13 +121,9 @@ def _validate_required_claims(self, payload, options):

def _validate_iat(self, payload, now, leeway):
try:
iat = int(payload['iat'])
int(payload['iat'])
except ValueError:
raise DecodeError('Issued At claim (iat) must be an integer.')

if iat > (now + leeway):
raise InvalidIssuedAtError('Issued At claim (iat) cannot be in'
' the future.')
raise InvalidIssuedAtError('Issued At claim (iat) must be an integer.')

def _validate_nbf(self, payload, now, leeway):
try:
Expand Down
9 changes: 1 addition & 8 deletions tests/test_api_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ def test_decode_raises_exception_if_iat_is_not_int(self, jwt):
'eyJpYXQiOiJub3QtYW4taW50In0.'
'H1GmcQgSySa5LOKYbzGm--b1OmRbHFkyk8pq811FzZM')

with pytest.raises(DecodeError):
with pytest.raises(InvalidIssuedAtError):
jwt.decode(example_jwt, 'secret')

def test_decode_raises_exception_if_nbf_is_not_int(self, jwt):
Expand All @@ -154,13 +154,6 @@ def test_decode_raises_exception_if_nbf_is_not_int(self, jwt):
with pytest.raises(DecodeError):
jwt.decode(example_jwt, 'secret')

def test_decode_raises_exception_if_iat_in_the_future(self, jwt):
now = datetime.utcnow()
token = jwt.encode({'iat': now + timedelta(days=1)}, key='secret')

with pytest.raises(InvalidIssuedAtError):
jwt.decode(token, 'secret')

def test_encode_datetime(self, jwt):
secret = 'secret'
current_datetime = datetime.utcnow()
Expand Down