search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
5.08k stars 679 forks source link

Unexpected decode error `jwt.exceptions.DecodeError: Invalid header string: ...` #799

Open fabiocaccamo opened 2 years ago

fabiocaccamo commented 2 years ago

Thank you for this great library.

I have a project where I'm using this library for encoding/decoding tokens for resetting passwords. Everything works well, but the other day I got an unexpected error when a user clicked the password-reset-link sent via email. This is a very isolated case because it happened only once.

Actual Result

The following exception is raised:

jwt.exceptions.DecodeError: Invalid header string: 'utf-8' codec can't decode byte 0xb7 in position 2: invalid start byte

Reproduction Steps

import jwt

token = "flW3fKBvBvWXI4DvYDWucTdvBvWVHmV4AvW2.flW4d5IlK6CeVwblAGZlYDWyfUBvBwF5AwV6ZwVmZEu2.XK5JCdat9f8bAcKf8Ub6-EAJC8GYbyTAmgYIlFuFlhd"

data = jwt.decode(
    token,
    settings.JWT_SECRET, 
    algorithms=["HS256"],
)

The encoded data is a dict containing just user_pk and exp date, for example:

{
    "user_pk": 1, 
    "exp": 1663002330,
}

System Information

{
  "cryptography": {
    "version": ""
  },
  "implementation": {
    "name": "CPython",
    "version": "3.8.10"
  },
  "platform": {
    "release": "5.4.0-125-generic",
    "system": "Linux"
  },
  "pyjwt": {
    "version": "2.4.0"
  }
}
fabiocaccamo commented 2 years ago

UPDATE:

I investigated more by adding some logs inside jwt.api_jws module before the error is raised. The error is raised here: https://github.com/jpadilla/pyjwt/blob/master/jwt/api_jws.py#L261

The value of the header_data variable is this:

b'~U\xb7|\xa0o\x06\xf5\x97#\x80\xef`5\xaeq7o\x06\xf5\x95\x1eex\x02\xf5\xb6'

I checked the header_data encoding with chardet and this is the result:

{'encoding': 'Windows-1252', 'confidence': 0.73, 'language': ''}

Hope this will help.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

fabiocaccamo commented 1 year ago

No more stale.

teuf22 commented 1 year ago

I observed a similar problem. I suspect that the user email program (Outlook it appears) is doing a 'pre-fetch' on the link (before the user clicks on it). However in this pre-fetch, Outlook is changing the jwt token to something bogus.

fabiocaccamo commented 1 year ago

@teuf22 interesting...

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

fabiocaccamo commented 1 year ago

no more stale

johnmba commented 1 year ago

I have the same issue and I have been trying to figure out what the problem is but the only information I can get from the traceback is the binascii error which say incorrect padding According to python it's the direct course of the error.