verify_exp argument is ignored using pyjwt 2.8.0

lorenzocelli commented 1 year ago

I noticed that the verify_exp argument seems to be ignored when decoding a token signed with HS256.

Expected Result: by passing verify_exp = False I would expect the jwt.decode() method to succeed even if the provided exp value is in the past.

Actual Result: the jwt.decode() method throws a ExpiredSignatureError exception.

Reproduction Steps

str = jwt.encode({"hello": "world", "exp": 0}, "secret")
jwt.decode(str, key="secret", algorithms=["HS256"], verify_exp=False)   # throws ExpiredSignatureError

System Information

$ python -m jwt.help

{
  "cryptography": {
    "version": ""
  },
  "implementation": {
    "name": "CPython",
    "version": "3.11.4"
  },
  "platform": {
    "release": "21.6.0",
    "system": "Darwin"
  },
  "pyjwt": {
    "version": "2.8.0"
  }
}

auvipy commented 1 year ago

would you mind sending a fix for it?

lorenzocelli commented 1 year ago

Sorry my bad! I did not notice that the argument was meant to be in the options dictionary:

jwt.decode(str, key="secret", algorithms=["HS256"], options={'verify_exp': False})

jpadilla / pyjwt

verify_exp argument is ignored using pyjwt 2.8.0 #908

Reproduction Steps

System Information