Merged master branch in to remove Python 3.2 support and add the new

test vectors from jpadilla#160

Author: mark-adams

.coveragerc

@@ -4,3 +4,4 @@ omit =
     .tox/*
     setup.py
     *.egg/*
+    */__main__.py

.travis.yml

@@ -1,18 +1,18 @@
 language: python
 sudo: false
 env:
-  - TOXENV=pep8
-  - TOXENV=py26
-  - TOXENV=py27
-  - TOXENV=py32
-  - TOXENV=py33
-  - TOXENV=py34
+  - TOXENV=flake8
+  - TOXENV=py26-crypto
+  - TOXENV=py27-crypto
+  - TOXENV=py33-crypto
+  - TOXENV=py34-crypto
   - TOXENV=py34-nocrypto
   - TOXENV=py27-nocrypto
-  - TOXENV=py34-contrib-crypto
-  - TOXENV=py27-contrib-crypto
+  - TOXENV=py34-contrib_crypto
+  - TOXENV=py27-contrib_crypto
 install:
-  - pip install tox coveralls
+  - pip install -U pip
+  - pip install -U tox coveralls
 script:
   - tox
 after_success:

CHANGELOG.md

@@ -6,6 +6,12 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 [Unreleased][unreleased]
 -------------------------------------------------------------------------
+### Added
+- Added a new `jwt.get_unverified_header()` to parse and return the header portion of a token prior to signature verification.
+
+### Removed
+- Python 3.2 is no longer a supported platform. This version of Python is
+rarely used. Users affected by this should upgrade to 3.3+.
 
 [v1.2.0][1.2.0]
 -------------------------------------------------------------------------

appveyor.yml

@@ -0,0 +1,35 @@
+environment:
+  matrix:
+    - PYTHON: "C:\\Python27-x64"
+      TOX_ENV: "py27-crypto"
+
+    - PYTHON: "C:\\Python34-x64"
+      TOX_ENV: "py34-crypto"
+
+init:
+  - SET PATH=%PYTHON%;%PATH%
+  - python -c "import sys;sys.stdout.write(sys.version)"
+  - ECHO .
+  - python -m pip list
+
+# pip & virtualenv are pre-installed
+install:
+  - python -m pip install -U setuptools
+  - python -m pip install -U pip
+  - python -m pip install -U wheel
+  - python -m pip install -U tox
+
+build: false  # Not a C# project, build stuff at the test step instead.
+
+test_script:
+  - python -m tox -e %TOX_ENV%
+
+after_test:
+  - python setup.py bdist_wheel
+  - ps: "ls dist"
+
+artifacts:
+  - path: dist\*
+
+#on_success:
+#  - TODO: upload the content of dist/*.whl to a public wheelhouse

jwt/__init__.py

@@ -17,7 +17,8 @@
 
 
 from .api_jwt import (
-    encode, decode, register_algorithm, unregister_algorithm, PyJWT
+    encode, decode, register_algorithm, unregister_algorithm,
+    get_unverified_header, PyJWT
 )
 from .api_jws import PyJWS
 from .exceptions import (

bin/jwt jwt/__main__.pybin/jwt renamed to jwt/__main__.py

@@ -1,144 +1,135 @@
-#!/usr/bin/env python
-
-from __future__ import print_function
-
-import optparse
-import sys
-import json
-import time
-import jwt
-
-__prog__ = 'jwt'
-__version__ = '1.0.0'
-
-
-def fix_optionparser_whitespace(input):
-    """
-    Hacks around whitespace hypersensitivity in OptionParser
-    """
-    newline = ' ' * 80
-    doublespace = '\033[8m.\033[0m' * 2
-    return input.replace('  ', doublespace).replace('\n', newline)
-
-
-def main():
-    """Encodes or decodes JSON Web Tokens based on input
-
-Decoding examples:
-
-  %prog --key=secret json.web.token
-  %prog --no-verify json.web.token
-
-Encoding requires the key option and takes space separated key/value pairs
-separated by equals (=) as input. Examples:
-
-  %prog --key=secret iss=me exp=1302049071
-  %prog --key=secret foo=bar exp=+10
-
-The exp key is special and can take an offset to current Unix time.
-"""
-    p = optparse.OptionParser(
-        description=fix_optionparser_whitespace(main.__doc__),
-        prog=__prog__,
-        version='%s %s' % (__prog__, __version__),
-        usage='%prog [options] input'
-    )
-
-    p.add_option(
-        '-n', '--no-verify',
-        action='store_false',
-        dest='verify',
-        default=True,
-        help='ignore signature verification on decode'
-    )
-
-    p.add_option(
-        '--key',
-        dest='key',
-        metavar='KEY',
-        default=None,
-        help='set the secret key to sign with'
-    )
-
-    p.add_option(
-        '--alg',
-        dest='algorithm',
-        metavar='ALG',
-        default='HS256',
-        help='set crypto algorithm to sign with. default=HS256'
-    )
-
-    options, arguments = p.parse_args()
-
-    if len(arguments) > 0 or not sys.stdin.isatty():
-        if len(arguments) == 1 and ( options.verify is False or options.key is not None ):
-            # Try to decode
-            try:
-                if not sys.stdin.isatty():
-                    token = sys.stdin.read()
-                else:
-                    token = arguments[0]
-
-                token = token.encode('utf-8')
-                data = jwt.decode(token, key=options.key, verify=options.verify)
-
-                print(json.dumps(data))
-                sys.exit(0)
-            except jwt.DecodeError as e:
-                print(e)
-                sys.exit(1)
-
-        # Try to encode
-        if options.key is None:
-            print('Key is required when encoding. See --help for usage.')
-            sys.exit(1)
-
-        # Build payload object to encode
-        payload = {}
-
-        for arg in arguments:
-            try:
-                k, v = arg.split('=', 1)
-
-                # exp +offset special case?
-                if k == 'exp' and v[0] == '+' and len(v) > 1:
-                    v = str(int(time.time()+int(v[1:])))
-
-                # Cast to integer?
-                if v.isdigit():
-                    v = int(v)
-                else:
-                    # Cast to float?
-                    try:
-                        v = float(v)
-                    except ValueError:
-                        pass
-
-                # Cast to true, false, or null?
-                constants = {'true': True, 'false': False, 'null': None}
-
-                if v in constants:
-                    v = constants[v]
-
-                payload[k] = v
-            except ValueError:
-                print('Invalid encoding input at {}'.format(arg))
-                sys.exit(1)
-
-        try:
-            token = jwt.encode(
-                payload,
-                key=options.key,
-                algorithm=options.algorithm
-            )
-
-            print(token)
-            sys.exit(0)
-        except Exception as e:
-            print(e)
-            sys.exit(1)
-    else:
-        p.print_help()
-
-if __name__ == '__main__':
-    main()
+#!/usr/bin/env python
+
+from __future__ import absolute_import, print_function
+
+import json
+import optparse
+import sys
+import time
+
+from . import DecodeError, __package__, __version__, decode, encode
+
+
+def main():
+
+    usage = '''Encodes or decodes JSON Web Tokens based on input.
+
+  %prog [options] input
+
+Decoding examples:
+
+  %prog --key=secret json.web.token
+  %prog --no-verify json.web.token
+
+Encoding requires the key option and takes space separated key/value pairs
+separated by equals (=) as input. Examples:
+
+  %prog --key=secret iss=me exp=1302049071
+  %prog --key=secret foo=bar exp=+10
+
+The exp key is special and can take an offset to current Unix time.\
+'''
+    p = optparse.OptionParser(
+        usage=usage,
+        prog=__package__,
+        version='%s %s' % (__package__, __version__),
+    )
+
+    p.add_option(
+        '-n', '--no-verify',
+        action='store_false',
+        dest='verify',
+        default=True,
+        help='ignore signature verification on decode'
+    )
+
+    p.add_option(
+        '--key',
+        dest='key',
+        metavar='KEY',
+        default=None,
+        help='set the secret key to sign with'
+    )
+
+    p.add_option(
+        '--alg',
+        dest='algorithm',
+        metavar='ALG',
+        default='HS256',
+        help='set crypto algorithm to sign with. default=HS256'
+    )
+
+    options, arguments = p.parse_args()
+
+    if len(arguments) > 0 or not sys.stdin.isatty():
+        if len(arguments) == 1 and (not options.verify or options.key):
+            # Try to decode
+            try:
+                if not sys.stdin.isatty():
+                    token = sys.stdin.read()
+                else:
+                    token = arguments[0]
+
+                token = token.encode('utf-8')
+                data = decode(token, key=options.key, verify=options.verify)
+
+                print(json.dumps(data))
+                sys.exit(0)
+            except DecodeError as e:
+                print(e)
+                sys.exit(1)
+
+        # Try to encode
+        if options.key is None:
+            print('Key is required when encoding. See --help for usage.')
+            sys.exit(1)
+
+        # Build payload object to encode
+        payload = {}
+
+        for arg in arguments:
+            try:
+                k, v = arg.split('=', 1)
+
+                # exp +offset special case?
+                if k == 'exp' and v[0] == '+' and len(v) > 1:
+                    v = str(int(time.time()+int(v[1:])))
+
+                # Cast to integer?
+                if v.isdigit():
+                    v = int(v)
+                else:
+                    # Cast to float?
+                    try:
+                        v = float(v)
+                    except ValueError:
+                        pass
+
+                # Cast to true, false, or null?
+                constants = {'true': True, 'false': False, 'null': None}
+
+                if v in constants:
+                    v = constants[v]
+
+                payload[k] = v
+            except ValueError:
+                print('Invalid encoding input at {}'.format(arg))
+                sys.exit(1)
+
+        try:
+            token = encode(
+                payload,
+                key=options.key,
+                algorithm=options.algorithm
+            )
+
+            print(token)
+            sys.exit(0)
+        except Exception as e:
+            print(e)
+            sys.exit(1)
+    else:
+        p.print_help()
+
+if __name__ == '__main__':
+    main()

jwt/api_jws.py

@@ -119,6 +119,14 @@ def decode(self, jws, key='', verify=True, algorithms=None, options=None,
 
         return payload
 
+    def get_unverified_header(self, jwt):
+        """Returns back the JWT header parameters as a dict()
+
+        Note: The signature is not verified so the header parameters
+        should not be fully trusted until signature verification is complete
+        """
+        return self._load(jwt)[2]
+
     def _load(self, jwt):
         if isinstance(jwt, text_type):
             jwt = jwt.encode('utf-8')
@@ -178,3 +186,4 @@ def _verify_signature(self, payload, signing_input, header, signature,
 decode = _jws_global_obj.decode
 register_algorithm = _jws_global_obj.register_algorithm
 unregister_algorithm = _jws_global_obj.unregister_algorithm
+get_unverified_header = _jws_global_obj.get_unverified_header

jwt/api_jwt.py

@@ -169,3 +169,4 @@ def _validate_iss(self, payload, issuer):
 decode = _jwt_global_obj.decode
 register_algorithm = _jwt_global_obj.register_algorithm
 unregister_algorithm = _jwt_global_obj.unregister_algorithm
+get_unverified_header = _jwt_global_obj.get_unverified_header