Created utils.py to hold functions like constant_time_compare and base64-encoding

Author: mark-adams

jwt/__init__.py

@@ -12,6 +12,7 @@
 from datetime import datetime, timedelta
 from calendar import timegm
 from collections import Mapping
+from utils import base64url_encode, base64url_decode
 
 from .compat import (json, string_types, text_type, constant_time_compare,
                      timedelta_total_seconds)
@@ -70,25 +71,11 @@ class InvalidAudienceError(InvalidTokenError):
 class InvalidIssuerError(InvalidTokenError):
     pass
 
-
 # Compatibility aliases (deprecated)
 ExpiredSignature = ExpiredSignatureError
 InvalidAudience = InvalidAudienceError
 InvalidIssuer = InvalidIssuerError
 
-def base64url_decode(input):
-    rem = len(input) % 4
-
-    if rem > 0:
-        input += b'=' * (4 - rem)
-
-    return base64.urlsafe_b64decode(input)
-
-
-def base64url_encode(input):
-    return base64.urlsafe_b64encode(input).replace(b'=', b'')
-
-
 def header(jwt):
     if isinstance(jwt, text_type):
         jwt = jwt.encode('utf-8')

jwt/algorithms.py

@@ -3,6 +3,7 @@
 import sys
 
 from jwt import register_algorithm
+from utils import constant_time_compare
 
 if sys.version_info >= (3, 0, 0):
     unicode = str
@@ -77,33 +78,7 @@ def sign(self, msg, key):
         return hmac.new(key, msg, self.hash_alg).digest()
 
     def verify(self, msg, key, sig):
-        return self._constant_time_compare(sig, self.sign(msg, key))
-
-    try:
-        _constant_time_compare = staticmethod(hmac.compare_digest)
-    except AttributeError:
-        # Fallback for Python < 2.7.7 and Python < 3.3
-        @staticmethod
-        def constant_time_compare(val1, val2):
-            """
-            Returns True if the two strings are equal, False otherwise.
-
-            The time taken is independent of the number of characters that match.
-            """
-            if len(val1) != len(val2):
-                return False
-
-            result = 0
-
-            if sys.version_info >= (3, 0, 0):
-                # Bytes are numbers
-                for x, y in zip(val1, val2):
-                    result |= x ^ y
-            else:
-                for x, y in zip(val1, val2):
-                    result |= ord(x) ^ ord(y)
-
-            return result == 0
+        return constant_time_compare(sig, self.sign(msg, key))
 
 if has_crypto:
 

jwt/utils.py

@@ -0,0 +1,39 @@
+import base64
+import hmac
+
+def base64url_decode(input):
+    rem = len(input) % 4
+
+    if rem > 0:
+        input += b'=' * (4 - rem)
+
+    return base64.urlsafe_b64decode(input)
+
+
+def base64url_encode(input):
+    return base64.urlsafe_b64encode(input).replace(b'=', b'')
+
+try:
+    constant_time_compare = hmac.compare_digest
+except AttributeError:
+    # Fallback for Python < 2.7.7 and Python < 3.3
+    def constant_time_compare(val1, val2):
+        """
+        Returns True if the two strings are equal, False otherwise.
+
+        The time taken is independent of the number of characters that match.
+        """
+        if len(val1) != len(val2):
+            return False
+
+        result = 0
+
+        if sys.version_info >= (3, 0, 0):
+            # Bytes are numbers
+            for x, y in zip(val1, val2):
+                result |= x ^ y
+        else:
+            for x, y in zip(val1, val2):
+                result |= ord(x) ^ ord(y)
+
+        return result == 0