Merge pull request jpadilla#125 from mark-adams/refactor-private-apis

mark-adams · mark-adams · commit 54ed26b6e3db · 2015-03-29T14:57:04.000-05:00
Moved claims validation into a separate private method to make it simpler to understand the code.
diff --git a/jwt/api.py b/jwt/api.py
@@ -114,7 +114,9 @@ def decode(self, jwt, key='', verify=True, algorithms=None, **kwargs):
 
         if verify:
             self._verify_signature(payload, signing_input, header, signature,
-                                   key, algorithms, **kwargs)
+                                   key, algorithms)
+
+            self._validate_claims(payload, **kwargs)
 
         return payload
 
@@ -157,20 +159,13 @@ def _load(self, jwt):
         return (payload, signing_input, header, signature)
 
     def _verify_signature(self, payload, signing_input, header, signature,
-                          key='', algorithms=None, verify_expiration=True, leeway=0,
-                          audience=None, issuer=None):
+                          key='', algorithms=None):
 
         alg = header['alg']
 
         if algorithms is not None and alg not in algorithms:
             raise InvalidAlgorithmError('The specified alg value is not allowed')
 
-        if isinstance(leeway, timedelta):
-            leeway = timedelta_total_seconds(leeway)
-
-        if not isinstance(audience, (string_types, type(None))):
-            raise TypeError('audience must be a string or None')
-
         try:
             alg_obj = self._algorithms[alg]
             key = alg_obj.prepare_key(key)
@@ -181,6 +176,14 @@ def _verify_signature(self, payload, signing_input, header, signature,
         except KeyError:
             raise InvalidAlgorithmError('Algorithm not supported')
 
+    def _validate_claims(self, payload, verify_expiration=True, leeway=0,
+                         audience=None, issuer=None):
+        if isinstance(leeway, timedelta):
+            leeway = timedelta_total_seconds(leeway)
+
+        if not isinstance(audience, (string_types, type(None))):
+            raise TypeError('audience must be a string or None')
+
         if 'iat' in payload:
             try:
                 int(payload['iat'])
@@ -228,6 +231,7 @@ def _verify_signature(self, payload, signing_input, header, signature,
             if payload.get('iss') != issuer:
                 raise InvalidIssuerError('Invalid issuer')
 
+
 _jwt_global_obj = PyJWT()
 encode = _jwt_global_obj.encode
 decode = _jwt_global_obj.decode
diff --git a/tests/test_api.py b/tests/test_api.py
@@ -479,9 +479,6 @@ def test_decode_with_expiration_with_leeway(self):
         for leeway in (3, timedelta(seconds=3)):
             self.jwt.decode(jwt_message, secret, leeway=leeway)
 
-            self.jwt._verify_signature(decoded_payload, signing, header,
-                                       signature, secret, leeway=leeway)
-
         # With 1 seconds, should fail
         for leeway in (1, timedelta(seconds=1)):
             with self.assertRaises(ExpiredSignatureError):
