The _check_sub verifier should check if empty (#15203)

pypi · Jan 12, 2024 · 5587c72 · 5587c72
1 parent 1c962a4
commit 5587c72
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/tests/unit/oidc/models/test_google.py b/tests/unit/oidc/models/test_google.py
@@ -159,7 +159,7 @@ def test_google_publisher_email_verified(self, email_verified, valid):
             ("fakesubject", "fakesubject", True),
             ("fakesubject", "wrongsubject", False),
             # Publisher configured without subject: any subject is acceptable.
-            (None, "anysubject", True),
+            ("", "anysubject", True),
             # Publisher configured with subject, none provided: must fail.
             ("fakesubject", None, False),
         ],

diff --git a/warehouse/oidc/models/google.py b/warehouse/oidc/models/google.py
@@ -31,7 +31,7 @@ def _check_sub(
 ) -> bool:
     # If we haven't set a subject for the publisher, we don't need to check
     # this claim.
-    if ground_truth is None:
+    if ground_truth == "":
         return True
 
     # Defensive: Google should never send us an empty or null subject, but