search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
5.05k stars 676 forks source link

_validate_claims in jwt/api_jwt.py raise expiration exception even though I didn't add exp into requrire #826

Closed berryscone closed 1 year ago

berryscone commented 1 year ago

in decode_complete method, it merges self.options and options and "verify_exp" is set in self.options. it makes _validate_claims method check expiration time even though I didn't request to check exp. (i call jwt.decode with require option which doesn't have "exp")

Expected Result

no exception raised

Actual Result

ExpiredSignatureError("Signature has expired") is raised

Reproduction Steps

call jwt.decode method with expired token and require option which doesn't have exp

import jwt

require = ["iat", "iss", "sub"]
return jwt.decode(
        token, # this token has exp field but expired
        settings.JWT_SECRET,
        algorithms="HS256",
        issuer=settings.JWT_ISSUER,
        options=dict(require=require, verify_signature=True),
)

System Information

$ python -m jwt.help
{
  "cryptography": {
    "version": "38.0.3"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.10.8"
  },
  "platform": {
    "release": "5.10.16.3-microsoft-standard-WSL2",
    "system": "Linux"
  },
  "pyjwt": {
    "version": "2.6.0"
  }
}

This command is only available on PyJWT v1.6.3 and greater. Otherwise, please provide some basic information about your system.

berryscone commented 1 year ago

sorry I misunderstood the API. verify_exp=False should be added to option please delete this issue or close (i cant find how to delete this issue)