Bump pyjwt from 2.6.0 to 2.8.0 (#2115)

* Bump pyjwt from 2.6.0 to 2.8.0 Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.6.0 to 2.8.0. - [Release notes](https://github.com/jpadilla/pyjwt/releases) - [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst) - [Commits](https://github.com/jpadilla/pyjwt/compare/2.6.0...2.8.0) --- updated-dependencies: - dependency-name: pyjwt dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Update pyjwt==2.8.0 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: JonnyWong16 <9099342+JonnyWong16@users.noreply.github.com> [skip ci]
2025-07-10 15:32:38 -07:00 · 2023-08-23 21:45:15 -07:00 · 2023-08-23 21:45:15 -07:00 · c93f470371
commit c93f470371
parent 77f38bbf93
12 changed files with 542 additions and 260 deletions
--- a/lib/jwt/api_jws.py
+++ b/lib/jwt/api_jws.py
@ -3,7 +3,7 @@ from __future__ import annotations
 import binascii
 import json
 import warnings
-from typing import Any, Type
+from typing import TYPE_CHECKING, Any

 from .algorithms import (
    Algorithm,
@ -20,11 +20,18 @@ from .exceptions import (
 from .utils import base64url_decode, base64url_encode
 from .warnings import RemovedInPyjwt3Warning

+if TYPE_CHECKING:
+    from .algorithms import AllowedPrivateKeys, AllowedPublicKeys
+

 class PyJWS:
    header_typ = "JWT"

-    def __init__(self, algorithms=None, options=None) -> None:
+    def __init__(
+        self,
+        algorithms: list[str] | None = None,
+        options: dict[str, Any] | None = None,
+    ) -> None:
        self._algorithms = get_default_algorithms()
        self._valid_algs = (
            set(algorithms) if algorithms is not None else set(self._algorithms)
@ -96,11 +103,12 @@ class PyJWS:
    def encode(
        self,
        payload: bytes,
-        key: str,
+        key: AllowedPrivateKeys | str | bytes,
        algorithm: str | None = "HS256",
        headers: dict[str, Any] | None = None,
-        json_encoder: Type[json.JSONEncoder] | None = None,
+        json_encoder: type[json.JSONEncoder] | None = None,
        is_payload_detached: bool = False,
+        sort_headers: bool = True,
    ) -> str:
        segments = []

@ -133,9 +141,8 @@ class PyJWS:
            # True is the standard value for b64, so no need for it
            del header["b64"]

-        # Fix for headers misorder - issue #715
        json_header = json.dumps(
-            header, separators=(",", ":"), cls=json_encoder, sort_keys=True
+            header, separators=(",", ":"), cls=json_encoder, sort_keys=sort_headers
        ).encode()

        segments.append(base64url_encode(json_header))
@ -164,8 +171,8 @@ class PyJWS:

    def decode_complete(
        self,
-        jwt: str,
-        key: str = "",
+        jwt: str | bytes,
+        key: AllowedPublicKeys | str | bytes = "",
        algorithms: list[str] | None = None,
        options: dict[str, Any] | None = None,
        detached_payload: bytes | None = None,
@ -209,13 +216,13 @@ class PyJWS:

    def decode(
        self,
-        jwt: str,
-        key: str = "",
+        jwt: str | bytes,
+        key: AllowedPublicKeys | str | bytes = "",
        algorithms: list[str] | None = None,
        options: dict[str, Any] | None = None,
        detached_payload: bytes | None = None,
        **kwargs,
-    ) -> str:
+    ) -> Any:
        if kwargs:
            warnings.warn(
                "passing additional kwargs to decode() is deprecated "
@ -228,7 +235,7 @@ class PyJWS:
        )
        return decoded["payload"]

-    def get_unverified_header(self, jwt: str | bytes) -> dict:
+    def get_unverified_header(self, jwt: str | bytes) -> dict[str, Any]:
        """Returns back the JWT header parameters as a dict()

        Note: The signature is not verified so the header parameters
@ -239,7 +246,7 @@ class PyJWS:

        return headers

-    def _load(self, jwt: str | bytes) -> tuple[bytes, bytes, dict, bytes]:
+    def _load(self, jwt: str | bytes) -> tuple[bytes, bytes, dict[str, Any], bytes]:
        if isinstance(jwt, str):
            jwt = jwt.encode("utf-8")

@ -280,13 +287,15 @@ class PyJWS:
    def _verify_signature(
        self,
        signing_input: bytes,
-        header: dict,
+        header: dict[str, Any],
        signature: bytes,
-        key: str = "",
+        key: AllowedPublicKeys | str | bytes = "",
        algorithms: list[str] | None = None,
    ) -> None:
-
-        alg = header.get("alg")
+        try:
+            alg = header["alg"]
+        except KeyError:
+            raise InvalidAlgorithmError("Algorithm not specified")

        if not alg or (algorithms is not None and alg not in algorithms):
            raise InvalidAlgorithmError("The specified alg value is not allowed")
@ -295,16 +304,16 @@ class PyJWS:
            alg_obj = self.get_algorithm_by_name(alg)
        except NotImplementedError as e:
            raise InvalidAlgorithmError("Algorithm not supported") from e
-        key = alg_obj.prepare_key(key)
+        prepared_key = alg_obj.prepare_key(key)

-        if not alg_obj.verify(signing_input, key, signature):
+        if not alg_obj.verify(signing_input, prepared_key, signature):
            raise InvalidSignatureError("Signature verification failed")

    def _validate_headers(self, headers: dict[str, Any]) -> None:
        if "kid" in headers:
            self._validate_kid(headers["kid"])

-    def _validate_kid(self, kid: str) -> None:
+    def _validate_kid(self, kid: Any) -> None:
        if not isinstance(kid, str):
            raise InvalidTokenError("Key ID header parameter must be a string")