Add warning when decoding with no algorithms specified

2017-06-21 16:04:35 -04:00 · 2017-06-21 16:04:35 -04:00 · 11f30c4050
parent 37926ea0dd
commit 11f30c4050
4 changed files with 38 additions and 0 deletions
--- a/jwt/api_jws.py
+++ b/jwt/api_jws.py
@ -117,6 +117,15 @@ class PyJWS(object):

    def decode(self, jws, key='', verify=True, algorithms=None, options=None,
               **kwargs):
+
+        if not algorithms:
+            warnings.warn(
+                'It is strongly recommended that you pass in a ' +
+                'value for the "algorithms" argument when calling decode(). ' +
+                'This argument will be mandatory in a future version.',
+                DeprecationWarning
+            )
+
        payload, signing_input, header, signature = self._load(jws)

        if verify:
--- a/jwt/api_jwt.py
+++ b/jwt/api_jwt.py
@ -58,6 +58,15 @@ class PyJWT(PyJWS):

    def decode(self, jwt, key='', verify=True, algorithms=None, options=None,
               **kwargs):
+
+        if not algorithms:
+            warnings.warn(
+                'It is strongly recommended that you pass in a ' +
+                'value for the "algorithms" argument when calling decode(). ' +
+                'This argument will be mandatory in a future version.',
+                DeprecationWarning
+            )
+
        payload, signing_input, header, signature = self._load(jwt)

        if options is None:
--- a/tests/test_api_jws.py
+++ b/tests/test_api_jws.py
@ -265,6 +265,16 @@ class TestJWS:

        pytest.deprecated_call(jws.decode, example_jws, verify=False)

+    def test_decode_with_optional_algorithms(self, jws):
+        example_secret = 'secret'
+        example_jws = (
+            b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
+            b'aGVsbG8gd29ybGQ.'
+            b'SIr03zM64awWRdPrAM_61QWsZchAtgDV3pphfHPPWkI'
+        )
+
+        pytest.deprecated_call(jws.decode, example_jws, key=example_secret)
+
    def test_load_no_verification(self, jws, payload):
        right_secret = 'foo'
        jws_message = jws.encode(payload, right_secret)
--- a/tests/test_api_jwt.py
+++ b/tests/test_api_jwt.py
@ -472,3 +472,13 @@ class TestJWT:
                secret,
                verify_expiration=True
            )
+
+    def test_decode_with_optional_algorithms(self, jwt, payload):
+        secret = 'secret'
+        jwt_message = jwt.encode(payload, secret)
+
+        pytest.deprecated_call(
+            jwt.decode,
+            jwt_message,
+            secret
+        )