search

jamesremuscat / pyze

Unofficial Python client and API for Renault ZE
MIT License
111 stars 30 forks source link

jwt Immature signature check is not applied #52

Closed mfonville closed 4 years ago

mfonville commented 4 years ago

I hit this error:

  decoded = jwt.decode(token, options={'verify_signature': False, 'verify_aud': False})
  File "/usr/lib/python3/dist-packages/jwt/api_jwt.py", line 104, in decode
    self._validate_claims(payload, merged_options, **kwargs)
  File "/usr/lib/python3/dist-packages/jwt/api_jwt.py", line 131, in _validate_claims
    self._validate_nbf(payload, now, leeway)
  File "/usr/lib/python3/dist-packages/jwt/api_jwt.py", line 165, in _validate_nbf
    raise ImmatureSignatureError('The token is not yet valid (nbf)')
jwt.exceptions.ImmatureSignatureError: The token is not yet valid (nbf)

That can happen because pyze does only check the validity of the expiration of the token, but not the start time.

This only applies to the token requested by Kamereon, not by Gigya. Line https://github.com/jamesremuscat/pyze/blob/develop/src/pyze/api/kamereon.py#L132 should also store decoded['nbf']

I might have a patch later if I find some time (working on some other project now that connects to Renault's API and hit the same issue with jwt).

mfonville commented 4 years ago

A simple fix seems to be to update in get_token:

            decoded = jwt.decode(token, options={'verify_signature': False, 'verify_aud': False, 'verify_nbf': False})