-
Notifications
You must be signed in to change notification settings - Fork 516
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
⬆️ upgrade pyjwt
to latest; introduce leeway to jwt.decode
#2335
⬆️ upgrade pyjwt
to latest; introduce leeway to jwt.decode
#2335
Conversation
Signed-off-by: ff137 <ff137@proton.me>
Some work required here, I can have a look after the weekend |
Signed-off-by: ff137 <ff137@proton.me>
Signed-off-by: ff137 <ff137@proton.me>
Test failures with
First scenario fails with:
|
Breaking change is from: jpadilla/pyjwt#797 This introduces stricter validation for the issued at claim in JWT tokens. If the value is in the future, even just a millisecond, PyJWT will raise an |
This addresses breaking change in `pyjwt` version 2.6 (jpadilla/pyjwt#797), where validation will now raise an `ImmatureSignatureError` if the 'issued at' time is in the future. Integration tests fail with `pyjwt~=2.6`, potentially because of clock synchronization / network latency / time zone differences in `issued_at` time of the jwt, so a leeway of 5 seconds attempts to accommodate ant potential latency / clock sync issue Signed-off-by: ff137 <ff137@proton.me>
Signed-off-by: ff137 <ff137@proton.me>
This addresses breaking change in `pyjwt` version 2.6 (jpadilla/pyjwt#797), where validation will now raise an `ImmatureSignatureError` if the 'issued at' time is in the future, with default 0 leeway. Integration tests fail with `pyjwt~=2.6`, potentially because of clock synchronization / network latency between `issued_at` time at generation and decoding of the jwt; so, a leeway of 1 second accommodates any potential latency / clock sync issue Signed-off-by: ff137 <ff137@proton.me>
Kudos, SonarCloud Quality Gate passed! |
pyjwt
to latestpyjwt
to latest; introduce leeway to jwt.decode
To understand the fix, we're permitting leeway of 1 second? 1 ms? |
I think we need to get 0.9.0 out. We’ve got several hot items to follow quickly on the tail of 0.9.0 so we’ll put this there (and we can do an Sorry about that. We’ll be talking about the next release at the ACA-Pug meeting tomorrow. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@swcurran I think this would be a low risk addition but happy to defer to your decision (I was a split second behind on my approval lol).
All good! It just resolves a python dependency conflict on a local test environment, but not a breaking one And the 1s leeway could be shorter, but it's a reiterative process to halve until it breaks again - with builds taking 35 minutes, I figured 1s is good enough :-) edit: Thanks! |
@dbluhm convinced me :-). Merged and will be in 0.9.0. |
Latest release (2.8) introduces support for python 3.10+
Release notes: https://github.com/jpadilla/pyjwt/releases
Note:
jwt.decode
can fail spuriously due to breaking changes introduced in jpadilla/pyjwt#797, where an exception is raised if the 'issued at' time of the JWT is in the future when decoding, with default 0 leeway. This means that a miniscule mismatch in clock synchronization, between generation and decoding of JWT, can now cause a failure when decoding. This arose in the integration tests, and is resolved with a leeway of 1 second.