PyJWT 2.6.0 IAT Decode Error - TypeError: '>' not supported between instances of 'str' and 'int'

[jbmcfarlin31]

Summary

Just upgraded to version 2.6.0 and now whenever I try to do a decode of a JWT I get the following error:

def _validate_iat(self, payload, now, leeway):
        iat = payload["iat"]
        try:
            int(iat)
        except ValueError:
            raise InvalidIssuedAtError("Issued At claim (iat) must be an integer.")
>       if iat > (now + leeway):
E       TypeError: '>' not supported between instances of 'str' and 'int'

It appears that the iat value is "trying" to be converted (and if not, raises an exception) but doesn't actually evaluate the iat value as an int.

My payload comes across like:

payload["iat"] = '1638202770'

So trying to perform > operations on that will result in a string. This does not happen in version 2.5.0 so I believe this is a regression.

Expected Result

A valid decode of my JWT value:

import jwt

decoded = jwt.decode(data, pub_key, algorithms=["RS256"], audience=["x.com"])

print(decoded)

Actual Result

def _validate_iat(self, payload, now, leeway):
        iat = payload["iat"]
        try:
            int(iat)
        except ValueError:
            raise InvalidIssuedAtError("Issued At claim (iat) must be an integer.")
>       if iat > (now + leeway):
E       TypeError: '>' not supported between instances of 'str' and 'int'

Reproduction Steps

import jwt

data = <jwt_content>
pub_key = <path_to_pub_key>

decoded = jwt.decode(data, pub_key, algorithms=["RS256"], audience=["x.com"])

System Information

$ python -m jwt.help

{
  "cryptography": {
    "version": "38.0.1"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.9.13"
  },
  "platform": {
    "release": "20.6.0",
    "system": "Darwin"
  },
  "pyjwt": {
    "version": "2.6.0"
  }
}

This command is only available on PyJWT v1.6.3 and greater. Otherwise, please provide some basic information about your system.

[oktavlachs]

+1, same for me

my test is

import jwt

decoded = jwt.decode(data, pub_key, algorithms=["RS512"])

print(decoded)

[oktavlachs]

Happy to provide also a full stack trace

Traceback (most recent call last):
File "/jwt.py", line 72, in validate
    decoded: dict = decode(data, pub_key, algorithms=["RS512"])
File "/code/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 168, in decode
    decoded = self.decode_complete(
File "/code/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 136, in decode_complete
    self._validate_claims(
File "/code/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 193, in _validate_claims
    self._validate_iat(payload, now, leeway)
File "/code/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 218, in _validate_iat
    if iat > (now + leeway):
TypeError: '>' not supported between instances of 'str' and 'int'

[oktavlachs]

I tried out other versions and can verify that it stops working with version 2.0. This makes sense, since I updated recently from version 1.7.1

[nayef-livio-derwiche]

Do we have an update on this ? Seems like a pretty big regression, how come it does not happen to more people, did we miss something or were we not supposed to use this function ?

[oktavlachs]

Thanks for the fix 🙂

[otterrisk]

Hi, thanks for the fix! Are there plans to release a new version including the #847 and make it available on PyPI anytime soon? The currently latest version (2.6.0) dates back to Oct 20, 2022 and /does not contain that fix.

[auvipy]

@jpadilla sorry to disturb you. can I do a release?

[alexforster]

@jpadilla If you aren't ready to cut a new release with all the changes since 2.6.0, would it be possible to cherry-pick 0a99cc2427c7 onto a 2.6.1 release?

[Uranium2]

@alexforster I was using this fix for my production builds. But @Viicos deleted his repos containing his fix. Would appreciate if a 2.6.1 with this fix could be release. Until, i'll cherry-pick in my requirements.txt with git+https://github.com/jpadilla/pyjwt.git@0a99cc2427c751275ea0002acca9ba0c07c25834#egg=pyjwt

[Viicos]

@Uranium2 sorry for that, I try to keep my repositories tab clean. But I think with all the new features merged into master, the fact that is has been asked several times (https://github.com/jpadilla/pyjwt/issues/867), I think it would be great to have a new release (with https://github.com/jpadilla/pyjwt/pull/863 and https://github.com/jpadilla/pyjwt/pull/881 as well). @jpadilla @auvipy do you think that could be possible?