Merge pull request jpadilla#171 from alexm92/master

Fixed jpadilla#167 throw InvalidAlgorithmError if alg not in header

Author: jpadilla

jwt/api_jws.py

@@ -165,7 +165,7 @@ def _load(self, jwt):
     def _verify_signature(self, payload, signing_input, header, signature,
                           key='', algorithms=None):
 
-        alg = header['alg']
+        alg = header.get('alg')
 
         if algorithms is not None and alg not in algorithms:
             raise InvalidAlgorithmError('The specified alg value is not allowed')

tests/test_api_jws.py

@@ -270,6 +270,16 @@ def test_verify_signature_with_no_secret(self, jws, payload):
 
         assert 'Signature verification' in str(exc.value)
 
+    def test_verify_signature_with_no_algo_header_throws_exception(self, jws, payload):
+        example_jws = (
+            b'e30'
+            b'.eyJhIjo1fQ'
+            b'.KEh186CjVw_Q8FadjJcaVnE7hO5Z9nHBbU8TgbhHcBY'
+        )
+
+        with pytest.raises(InvalidAlgorithmError):
+            jws.decode(example_jws, 'secret')
+
     def test_invalid_crypto_alg(self, jws, payload):
         with pytest.raises(NotImplementedError):
             jws.encode(payload, 'secret', algorithm='HS1024')