Validate claims if configured and verify_signature is not. (jpadilla#608)

Natim · web-flow · commit 373d4d8a45ce · 2021-02-15T11:40:09.000-05:00
* Validate claims if configured.

* Remove secret and algorithm since we don't validate the signature.

* Add changelog.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -10,6 +10,8 @@ This project adheres to `Semantic Versioning <https://semver.org/>`__.
 Changed
 ~~~~~~~
 
+- Allow claims validation without making JWT signature validation mandatory. `#608 <https://github.com/jpadilla/pyjwt/pull/608>`__
+
 Fixed
 ~~~~~
 
diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
@@ -75,6 +75,13 @@ def decode_complete(
         else:
             options.setdefault("verify_signature", True)
 
+        if not options["verify_signature"]:
+            options.setdefault("verify_exp", False)
+            options.setdefault("verify_nbf", False)
+            options.setdefault("verify_iat", False)
+            options.setdefault("verify_aud", False)
+            options.setdefault("verify_iss", False)
+
         if options["verify_signature"] and not algorithms:
             raise DecodeError(
                 'It is required that you pass in a value for the "algorithms" argument when calling decode().'
@@ -95,9 +102,8 @@ def decode_complete(
         if not isinstance(payload, dict):
             raise DecodeError("Invalid payload string: must be a json object")
 
-        if options["verify_signature"]:
-            merged_options = {**self.options, **options}
-            self._validate_claims(payload, merged_options, **kwargs)
+        merged_options = {**self.options, **options}
+        self._validate_claims(payload, merged_options, **kwargs)
 
         decoded["payload"] = payload
         return decoded
diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
@@ -579,6 +579,22 @@ def test_decode_with_verify_exp_option(self, jwt, payload):
                 options={"verify_exp": True},
             )
 
+    def test_decode_with_verify_exp_option_and_signature_off(self, jwt, payload):
+        payload["exp"] = utc_timestamp() - 1
+        secret = "secret"
+        jwt_message = jwt.encode(payload, secret)
+
+        jwt.decode(
+            jwt_message,
+            options={"verify_signature": False},
+        )
+
+        with pytest.raises(ExpiredSignatureError):
+            jwt.decode(
+                jwt_message,
+                options={"verify_signature": False, "verify_exp": True},
+            )
+
     def test_decode_with_optional_algorithms(self, jwt, payload):
         secret = "secret"
         jwt_message = jwt.encode(payload, secret)

-Original file line number
+Diff line change
 Changed
 ~~~~~~~
 +- Allow claims validation without making JWT signature validation mandatory. `#608 <https://github.com/jpadilla/pyjwt/pull/608>`__
++
 Fixed
 ~~~~~