From 33022c25525c1020869c71ce2a4109e44ae4ced1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Padilla?= Date: Wed, 27 Nov 2024 22:19:49 -0500 Subject: [PATCH] Merge commit from fork This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. ```diff - if isinstance(issuer, list): + if isinstance(issuer, Sequence): if payload["iss"] not in issuer: raise InvalidIssuerError("Invalid issuer") else: ``` Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Co-authored-by: Fabian Badoi --- jwt/api_jwt.py | 6 +++--- tests/test_api_jwt.py | 10 ++++++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py index fa4d5e6f..3a201436 100644 --- a/jwt/api_jwt.py +++ b/jwt/api_jwt.py @@ -419,11 +419,11 @@ def _validate_iss(self, payload: dict[str, Any], issuer: Any) -> None: if "iss" not in payload: raise MissingRequiredClaimError("iss") - if isinstance(issuer, Sequence): - if payload["iss"] not in issuer: + if isinstance(issuer, str): + if payload["iss"] != issuer: raise InvalidIssuerError("Invalid issuer") else: - if payload["iss"] != issuer: + if payload["iss"] not in issuer: raise InvalidIssuerError("Invalid issuer") diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py index 7cc583bd..ec68a079 100644 --- a/tests/test_api_jwt.py +++ b/tests/test_api_jwt.py @@ -464,6 +464,16 @@ def test_raise_exception_token_without_issuer(self, jwt): assert exc.value.claim == "iss" + def test_rasise_exception_on_partial_issuer_match(self, jwt): + issuer = "urn:expected" + + payload = {"iss": "urn:"} + + token = jwt.encode(payload, "secret") + + with pytest.raises(InvalidIssuerError): + jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"]) + def test_raise_exception_token_without_audience(self, jwt): payload = {"some": "payload"} token = jwt.encode(payload, "secret")