Fix jwt_decode ignoring options

[CptSpaceToaster]

The JWT_VERIFY_CLAIMS and JWT_REQUIRED_CLAIMS assume that item precense implies each item should be verified/required, and items that are excluded, should NOT be verified or required.

Unfortunately, the PyJWT library will merge the supplied list of options against a list of defaults: https://github.com/jpadilla/pyjwt/blob/1.4.0/jwt/api_jwt.py#L74-L75

This means that if a user wanted to disable verification on expiration, a user can NOT change JWT_VERIFY_CLAIMS = ['signature', 'ext', 'nbf', 'iat'] to JWT_VERIFY_CLAIMS = ['signature', 'nbf', 'iat']

If a user DOESN'T want it to verify the expiration, then they need to explicitly set verify_exp to False. The current algorithm will look at the list, see that verify_exp was omitted, and pass in nothing for verify_exp , which then makes the PyJWT assume a default (which is verify_exp=True)

To fix, the _default_jwt_decode_handler was updated to generate an options dictionary that sets each option to True or False so JWT_VERIFY_CLAIMS = ['signature', 'nbf', 'iat'] Now will properly set verify_ext=False.

[coveralls]

Coverage remained the same at 95.652% when pulling 07d4017618700c61e636886b08408075960298ca on CptSpaceToaster:master into c27084114e258863b82753fc574a362cd6c62fcd on mattupstate:master.

[guillermo-carrasco]

The PR is old but it works and its a required fix. Any plans of merging?

[CptSpaceToaster]

It seems to have made it into: https://github.com/mattupstate/flask-jwt/pull/95 So I suggest you make noise there instead.