def test_decode_unknown_alg():
headers = json.dumps({u"kid": u"1", u"alg": u"fakealg"})
token = b".".join(
map(lambda seg: base64.b64encode(seg.encode("utf-8")),
[headers, u"{}", u"sig"]))
with pytest.raises(ValueError) as excinfo:
jwt.decode(token)
assert excinfo.match(r"fakealg")
def test_decode_missing_crytography_alg(monkeypatch):
monkeypatch.delitem(jwt._ALGORITHM_TO_VERIFIER_CLASS, "ES256")
headers = json.dumps({u"kid": u"1", u"alg": u"ES256"})
token = b".".join(
map(lambda seg: base64.b64encode(seg.encode("utf-8")),
[headers, u"{}", u"sig"]))
with pytest.raises(ValueError) as excinfo:
jwt.decode(token)
assert excinfo.match(r"cryptography")
def test_decode_bad_token_too_early(token_factory):
token = token_factory(
claims={
"iat":
_helpers.datetime_to_secs(_helpers.utcnow() +
datetime.timedelta(hours=1))
})
with pytest.raises(ValueError) as excinfo:
jwt.decode(token, PUBLIC_CERT_BYTES)
assert excinfo.match(r"Token used too early")
def test_decode_bad_token_expired(token_factory):
token = token_factory(
claims={
"exp":
_helpers.datetime_to_secs(_helpers.utcnow() -
datetime.timedelta(hours=1))
})
with pytest.raises(ValueError) as excinfo:
jwt.decode(token, PUBLIC_CERT_BYTES)
assert excinfo.match(r"Token expired")
def test_decode_with_invalid_audience(token_factory):
with pytest.raises(ValueError) as excinfo:
payload = jwt.decode(
token_factory(),
certs=PUBLIC_CERT_BYTES,
audience=["*****@*****.**", "*****@*****.**"])
assert excinfo.match(r"Token has wrong audience")
def test_decode_valid_with_audience(token_factory):
payload = jwt.decode(
token_factory(),
certs=PUBLIC_CERT_BYTES,
audience=["*****@*****.**", "*****@*****.**"])
assert payload["aud"] == "*****@*****.**"
assert payload["user"] == "billy bob"
assert payload["metadata"]["meta"] == "data"
def test_decode_no_key_id(token_factory):
token = token_factory(key_id=False)
certs = {"2": PUBLIC_CERT_BYTES}
payload = jwt.decode(token, certs)
assert payload["user"] == "billy bob"
def test_decode_no_cert(token_factory):
certs = {"2": PUBLIC_CERT_BYTES}
with pytest.raises(ValueError) as excinfo:
jwt.decode(token_factory(), certs)
assert excinfo.match(r"Certificate for key id 1 not found")
def test_decode_multicert_bad_cert(token_factory):
certs = {"1": OTHER_CERT_BYTES, "2": PUBLIC_CERT_BYTES}
with pytest.raises(ValueError) as excinfo:
jwt.decode(token_factory(), certs)
assert excinfo.match(r"Could not verify token signature")
def test_decode_wrong_cert(token_factory):
with pytest.raises(ValueError) as excinfo:
jwt.decode(token_factory(), OTHER_CERT_BYTES)
assert excinfo.match(r"Could not verify token signature")
def test_decode_bad_token_wrong_audience(token_factory):
token = token_factory()
audience = "*****@*****.**"
with pytest.raises(ValueError) as excinfo:
jwt.decode(token, PUBLIC_CERT_BYTES, audience=audience)
assert excinfo.match(r"Token has wrong audience")
def test_decode_bad_token_no_iat_or_exp(signer):
token = jwt.encode(signer, {"test": "value"})
with pytest.raises(ValueError) as excinfo:
jwt.decode(token, PUBLIC_CERT_BYTES)
assert excinfo.match(r"Token does not contain required claim")
def test_decode_bad_token_not_json():
token = b".".join([base64.urlsafe_b64encode(b"123!")] * 3)
with pytest.raises(ValueError) as excinfo:
jwt.decode(token, PUBLIC_CERT_BYTES)
assert excinfo.match(r"Can\'t parse segment")
def test_decode_bad_token_not_base64():
with pytest.raises((ValueError, TypeError)) as excinfo:
jwt.decode("1.2.3", PUBLIC_CERT_BYTES)
assert excinfo.match(r"Incorrect padding|more than a multiple of 4")
def test_decode_bad_token_wrong_number_of_segments():
with pytest.raises(ValueError) as excinfo:
jwt.decode("1.2", PUBLIC_CERT_BYTES)
assert excinfo.match(r"Wrong number of segments")
def test_decode_valid_unverified(token_factory):
payload = jwt.decode(token_factory(), certs=OTHER_CERT_BYTES, verify=False)
assert payload["aud"] == "*****@*****.**"
assert payload["user"] == "billy bob"
assert payload["metadata"]["meta"] == "data"
def test_roundtrip_explicit_key_id(token_factory):
token = token_factory(key_id="3")
certs = {"2": OTHER_CERT_BYTES, "3": PUBLIC_CERT_BYTES}
payload = jwt.decode(token, certs)
assert payload["user"] == "billy bob"
def test_decode_valid_es256(token_factory):
payload = jwt.decode(token_factory(use_es256_signer=True),
certs=EC_PUBLIC_CERT_BYTES)
assert payload["aud"] == "*****@*****.**"
assert payload["user"] == "billy bob"
assert payload["metadata"]["meta"] == "data"
