Refactored api.py so that all JWT functions are now part of a PyJWT class.

mark-adams · mark-adams · commit 4e024325715f · 2015-03-17T14:15:14.000-05:00
- Created a singleton instance to preserve jwt.encode, jwt.decode,
  jwt.register_algorithms existing public APIs
- Renamed load and verify_signature to _load and _verify_signature since
  they are not part of the existing public API
- Modified related tests to use PyJWT._load and PyJWT._verify_signature
diff --git a/jwt/__init__.py b/jwt/__init__.py
@@ -16,7 +16,7 @@
 __copyright__ = 'Copyright 2015 José Padilla'
 
 
-from .api import encode, decode, register_algorithm
+from .api import encode, decode, register_algorithm, PyJWT
 from .exceptions import (
     InvalidTokenError, DecodeError, ExpiredSignatureError,
     InvalidAudienceError, InvalidIssuerError,
diff --git a/jwt/algorithms.py b/jwt/algorithms.py
@@ -1,7 +1,6 @@
 import hashlib
 import hmac
 
-from .api import register_algorithm
 from .compat import constant_time_compare, string_types, text_type
 
 try:
@@ -18,23 +17,23 @@
     has_crypto = False
 
 
-def _register_default_algorithms():
+def _register_default_algorithms(pyjwt_obj):
     """
     Registers the algorithms that are implemented by the library.
     """
-    register_algorithm('none', NoneAlgorithm())
-    register_algorithm('HS256', HMACAlgorithm(HMACAlgorithm.SHA256))
-    register_algorithm('HS384', HMACAlgorithm(HMACAlgorithm.SHA384))
-    register_algorithm('HS512', HMACAlgorithm(HMACAlgorithm.SHA512))
+    pyjwt_obj.register_algorithm('none', NoneAlgorithm())
+    pyjwt_obj.register_algorithm('HS256', HMACAlgorithm(HMACAlgorithm.SHA256))
+    pyjwt_obj.register_algorithm('HS384', HMACAlgorithm(HMACAlgorithm.SHA384))
+    pyjwt_obj.register_algorithm('HS512', HMACAlgorithm(HMACAlgorithm.SHA512))
 
     if has_crypto:
-        register_algorithm('RS256', RSAAlgorithm(RSAAlgorithm.SHA256))
-        register_algorithm('RS384', RSAAlgorithm(RSAAlgorithm.SHA384))
-        register_algorithm('RS512', RSAAlgorithm(RSAAlgorithm.SHA512))
+        pyjwt_obj.register_algorithm('RS256', RSAAlgorithm(RSAAlgorithm.SHA256()))
+        pyjwt_obj.register_algorithm('RS384', RSAAlgorithm(RSAAlgorithm.SHA384()))
+        pyjwt_obj.register_algorithm('RS512', RSAAlgorithm(RSAAlgorithm.SHA512()))
 
-        register_algorithm('ES256', ECAlgorithm(ECAlgorithm.SHA256))
-        register_algorithm('ES384', ECAlgorithm(ECAlgorithm.SHA384))
-        register_algorithm('ES512', ECAlgorithm(ECAlgorithm.SHA512))
+        pyjwt_obj.register_algorithm('ES256', ECAlgorithm(ECAlgorithm.SHA256()))
+        pyjwt_obj.register_algorithm('ES384', ECAlgorithm(ECAlgorithm.SHA384()))
+        pyjwt_obj.register_algorithm('ES512', ECAlgorithm(ECAlgorithm.SHA512()))
 
 
 class Algorithm(object):
diff --git a/jwt/api.py b/jwt/api.py
@@ -12,175 +12,179 @@
 )
 from .utils import base64url_decode, base64url_encode
 
-
-_algorithms = {}
-
-
-def register_algorithm(alg_id, alg_obj):
-    """
-    Registers a new Algorithm for use when creating and verifying tokens.
-    """
-    if alg_id in _algorithms:
-        raise ValueError('Algorithm already has a handler.')
-
-    if not isinstance(alg_obj, Algorithm):
-        raise TypeError('Object is not of type `Algorithm`')
-
-    _algorithms[alg_id] = alg_obj
-
 from jwt.algorithms import Algorithm, _register_default_algorithms  # NOQA
-_register_default_algorithms()
-
-
-def encode(payload, key, algorithm='HS256', headers=None, json_encoder=None):
-    segments = []
-
-    if algorithm is None:
-        algorithm = 'none'
-
-    # Check that we get a mapping
-    if not isinstance(payload, Mapping):
-        raise TypeError('Expecting a mapping object, as json web token only'
-                        'support json objects.')
 
-    # Header
-    header = {'typ': 'JWT', 'alg': algorithm}
-    if headers:
-        header.update(headers)
+class PyJWT(object):
+    def __init__(self):
+        self._algorithms = {}
+        _register_default_algorithms(self)
+
+    def register_algorithm(self, alg_id, alg_obj):
+        """
+        Registers a new Algorithm for use when creating and verifying tokens.
+        """
+        if alg_id in self._algorithms:
+            raise ValueError('Algorithm already has a handler.')
+
+        if not isinstance(alg_obj, Algorithm):
+            raise TypeError('Object is not of type `Algorithm`')
+
+        self._algorithms[alg_id] = alg_obj
+
+    def encode(self, payload, key, algorithm='HS256', headers=None, json_encoder=None):
+        segments = []
+
+        if algorithm is None:
+            algorithm = 'none'
+
+        # Check that we get a mapping
+        if not isinstance(payload, Mapping):
+            raise TypeError('Expecting a mapping object, as json web token only'
+                            'support json objects.')
+
+        # Header
+        header = {'typ': 'JWT', 'alg': algorithm}
+        if headers:
+            header.update(headers)
 
-    json_header = json.dumps(
-        header,
-        separators=(',', ':'),
-        cls=json_encoder
-    ).encode('utf-8')
+        json_header = json.dumps(
+            header,
+            separators=(',', ':'),
+            cls=json_encoder
+        ).encode('utf-8')
 
-    segments.append(base64url_encode(json_header))
+        segments.append(base64url_encode(json_header))
 
-    # Payload
-    for time_claim in ['exp', 'iat', 'nbf']:
-        # Convert datetime to a intDate value in known time-format claims
-        if isinstance(payload.get(time_claim), datetime):
-            payload[time_claim] = timegm(payload[time_claim].utctimetuple())
+        # Payload
+        for time_claim in ['exp', 'iat', 'nbf']:
+            # Convert datetime to a intDate value in known time-format claims
+            if isinstance(payload.get(time_claim), datetime):
+                payload[time_claim] = timegm(payload[time_claim].utctimetuple())
 
-    json_payload = json.dumps(
-        payload,
-        separators=(',', ':'),
-        cls=json_encoder
-    ).encode('utf-8')
+        json_payload = json.dumps(
+            payload,
+            separators=(',', ':'),
+            cls=json_encoder
+        ).encode('utf-8')
 
-    segments.append(base64url_encode(json_payload))
+        segments.append(base64url_encode(json_payload))
 
-    # Segments
-    signing_input = b'.'.join(segments)
-    try:
-        alg_obj = _algorithms[algorithm]
-        key = alg_obj.prepare_key(key)
-        signature = alg_obj.sign(signing_input, key)
-
-    except KeyError:
-        raise NotImplementedError('Algorithm not supported')
-
-    segments.append(base64url_encode(signature))
-
-    return b'.'.join(segments)
-
-
-def decode(jwt, key='', verify=True, **kwargs):
-    payload, signing_input, header, signature = load(jwt)
-
-    if verify:
-        verify_signature(payload, signing_input, header, signature, key,
-                         **kwargs)
-
-    return payload
-
-
-def load(jwt):
-    if isinstance(jwt, text_type):
-        jwt = jwt.encode('utf-8')
-    try:
-        signing_input, crypto_segment = jwt.rsplit(b'.', 1)
-        header_segment, payload_segment = signing_input.split(b'.', 1)
-    except ValueError:
-        raise DecodeError('Not enough segments')
-
-    try:
-        header_data = base64url_decode(header_segment)
-    except (TypeError, binascii.Error):
-        raise DecodeError('Invalid header padding')
-    try:
-        header = json.loads(header_data.decode('utf-8'))
-    except ValueError as e:
-        raise DecodeError('Invalid header string: %s' % e)
-    if not isinstance(header, Mapping):
-        raise DecodeError('Invalid header string: must be a json object')
-
-    try:
-        payload_data = base64url_decode(payload_segment)
-    except (TypeError, binascii.Error):
-        raise DecodeError('Invalid payload padding')
-    try:
-        payload = json.loads(payload_data.decode('utf-8'))
-    except ValueError as e:
-        raise DecodeError('Invalid payload string: %s' % e)
-    if not isinstance(payload, Mapping):
-        raise DecodeError('Invalid payload string: must be a json object')
-
-    try:
-        signature = base64url_decode(crypto_segment)
-    except (TypeError, binascii.Error):
-        raise DecodeError('Invalid crypto padding')
-
-    return (payload, signing_input, header, signature)
-
-
-def verify_signature(payload, signing_input, header, signature, key='',
-                     verify_expiration=True, leeway=0, audience=None,
-                     issuer=None):
-
-    if isinstance(leeway, timedelta):
-        leeway = timedelta_total_seconds(leeway)
-
-    if not isinstance(audience, (string_types, type(None))):
-        raise TypeError('audience must be a string or None')
-
-    try:
-        alg_obj = _algorithms[header['alg']]
-        key = alg_obj.prepare_key(key)
-
-        if not alg_obj.verify(signing_input, key, signature):
-            raise DecodeError('Signature verification failed')
-
-    except KeyError:
-        raise DecodeError('Algorithm not supported')
-
-    if 'nbf' in payload and verify_expiration:
-        utc_timestamp = timegm(datetime.utcnow().utctimetuple())
-
-        if payload['nbf'] > (utc_timestamp + leeway):
-            raise ExpiredSignatureError('Signature not yet valid')
-
-    if 'exp' in payload and verify_expiration:
-        utc_timestamp = timegm(datetime.utcnow().utctimetuple())
-
-        if payload['exp'] < (utc_timestamp - leeway):
-            raise ExpiredSignatureError('Signature has expired')
-
-    if 'aud' in payload:
-        audience_claims = payload['aud']
-        if isinstance(audience_claims, string_types):
-            audience_claims = [audience_claims]
-        if not isinstance(audience_claims, list):
-            raise InvalidAudienceError('Invalid claim format in token')
-        if any(not isinstance(c, string_types) for c in audience_claims):
-            raise InvalidAudienceError('Invalid claim format in token')
-        if audience not in audience_claims:
-            raise InvalidAudienceError('Invalid audience')
-    elif audience is not None:
-        # Application specified an audience, but it could not be
-        # verified since the token does not contain a claim.
-        raise InvalidAudienceError('No audience claim in token')
-
-    if issuer is not None:
-        if payload.get('iss') != issuer:
-            raise InvalidIssuerError('Invalid issuer')
+        # Segments
+        signing_input = b'.'.join(segments)
+        try:
+            alg_obj = self._algorithms[algorithm]
+            key = alg_obj.prepare_key(key)
+            signature = alg_obj.sign(signing_input, key)
+
+        except KeyError:
+            raise NotImplementedError('Algorithm not supported')
+
+        segments.append(base64url_encode(signature))
+
+        return b'.'.join(segments)
+
+
+    def decode(self, jwt, key='', verify=True, **kwargs):
+        payload, signing_input, header, signature = self._load(jwt)
+
+        if verify:
+            self._verify_signature(payload, signing_input, header, signature,
+                            key, **kwargs)
+
+        return payload
+
+
+    def _load(self, jwt):
+        if isinstance(jwt, text_type):
+            jwt = jwt.encode('utf-8')
+        try:
+            signing_input, crypto_segment = jwt.rsplit(b'.', 1)
+            header_segment, payload_segment = signing_input.split(b'.', 1)
+        except ValueError:
+            raise DecodeError('Not enough segments')
+
+        try:
+            header_data = base64url_decode(header_segment)
+        except (TypeError, binascii.Error):
+            raise DecodeError('Invalid header padding')
+        try:
+            header = json.loads(header_data.decode('utf-8'))
+        except ValueError as e:
+            raise DecodeError('Invalid header string: %s' % e)
+        if not isinstance(header, Mapping):
+            raise DecodeError('Invalid header string: must be a json object')
+
+        try:
+            payload_data = base64url_decode(payload_segment)
+        except (TypeError, binascii.Error):
+            raise DecodeError('Invalid payload padding')
+        try:
+            payload = json.loads(payload_data.decode('utf-8'))
+        except ValueError as e:
+            raise DecodeError('Invalid payload string: %s' % e)
+        if not isinstance(payload, Mapping):
+            raise DecodeError('Invalid payload string: must be a json object')
+
+        try:
+            signature = base64url_decode(crypto_segment)
+        except (TypeError, binascii.Error):
+            raise DecodeError('Invalid crypto padding')
+
+        return (payload, signing_input, header, signature)
+
+
+    def _verify_signature(self, payload, signing_input, header, signature,
+                          key='', verify_expiration=True, leeway=0,
+                          audience=None, issuer=None):
+
+        if isinstance(leeway, timedelta):
+            leeway = timedelta_total_seconds(leeway)
+
+        if not isinstance(audience, (string_types, type(None))):
+            raise TypeError('audience must be a string or None')
+
+        try:
+            alg_obj = self._algorithms[header['alg']]
+            key = alg_obj.prepare_key(key)
+
+            if not alg_obj.verify(signing_input, key, signature):
+                raise DecodeError('Signature verification failed')
+
+        except KeyError:
+            raise DecodeError('Algorithm not supported')
+
+        if 'nbf' in payload and verify_expiration:
+            utc_timestamp = timegm(datetime.utcnow().utctimetuple())
+
+            if payload['nbf'] > (utc_timestamp + leeway):
+                raise ExpiredSignatureError('Signature not yet valid')
+
+        if 'exp' in payload and verify_expiration:
+            utc_timestamp = timegm(datetime.utcnow().utctimetuple())
+
+            if payload['exp'] < (utc_timestamp - leeway):
+                raise ExpiredSignatureError('Signature has expired')
+
+        if 'aud' in payload:
+            audience_claims = payload['aud']
+            if isinstance(audience_claims, string_types):
+                audience_claims = [audience_claims]
+            if not isinstance(audience_claims, list):
+                raise InvalidAudienceError('Invalid claim format in token')
+            if any(not isinstance(c, string_types) for c in audience_claims):
+                raise InvalidAudienceError('Invalid claim format in token')
+            if audience not in audience_claims:
+                raise InvalidAudienceError('Invalid audience')
+        elif audience is not None:
+            # Application specified an audience, but it could not be
+            # verified since the token does not contain a claim.
+            raise InvalidAudienceError('No audience claim in token')
+
+        if issuer is not None:
+            if payload.get('iss') != issuer:
+                raise InvalidIssuerError('Invalid issuer')
+
+_jwt_global_obj = PyJWT()
+encode = _jwt_global_obj.encode
+decode = _jwt_global_obj.decode
+register_algorithm = _jwt_global_obj.register_algorithm
diff --git a/tests/test_jwt.py b/tests/test_jwt.py
