Refactored PyJWT._validate_claims into multiple PyJWT._validate_*

submethods to eliminate a lot of complexity.

Author: mark-adams

jwt/api_jwt.py

@@ -26,13 +26,15 @@ def _get_default_options():
             'verify_nbf': True,
             'verify_iat': True,
             'verify_aud': True,
+            'verify_iss': True
         }
 
-    def encode(self, payload, key, algorithm='HS256', headers=None, json_encoder=None):
+    def encode(self, payload, key, algorithm='HS256', headers=None,
+               json_encoder=None):
         # Check that we get a mapping
         if not isinstance(payload, Mapping):
-            raise TypeError('Expecting a mapping object, as json web token only'
-                            'support json objects.')
+            raise TypeError('Expecting a mapping object, as JWT only supports '
+                            'JSON objects as payloads.')
 
         # Payload
         for time_claim in ['exp', 'iat', 'nbf']:
@@ -81,52 +83,78 @@ def _validate_claims(self, payload, audience=None, issuer=None, leeway=0,
         now = timegm(datetime.utcnow().utctimetuple())
 
         if 'iat' in payload and options.get('verify_iat'):
-            try:
-                iat = int(payload['iat'])
-            except ValueError:
-                raise DecodeError('Issued At claim (iat) must be an integer.')
-
-            if iat > (now + leeway):
-                raise InvalidIssuedAtError('Issued At claim (iat) cannot be in'
-                                           ' the future.')
+            self._validate_iat(payload, now, leeway)
 
         if 'nbf' in payload and options.get('verify_nbf'):
-            try:
-                nbf = int(payload['nbf'])
-            except ValueError:
-                raise DecodeError('Not Before claim (nbf) must be an integer.')
-
-            if nbf > (now + leeway):
-                raise ImmatureSignatureError('The token is not yet valid (nbf)')
+            self._validate_nbf(payload, now, leeway)
 
         if 'exp' in payload and options.get('verify_exp'):
-            try:
-                exp = int(payload['exp'])
-            except ValueError:
-                raise DecodeError('Expiration Time claim (exp) must be an'
-                                  ' integer.')
-
-            if exp < (now - leeway):
-                raise ExpiredSignatureError('Signature has expired')
-
-        if 'aud' in payload and options.get('verify_aud'):
-            audience_claims = payload['aud']
-            if isinstance(audience_claims, string_types):
-                audience_claims = [audience_claims]
-            if not isinstance(audience_claims, list):
-                raise InvalidAudienceError('Invalid claim format in token')
-            if any(not isinstance(c, string_types) for c in audience_claims):
-                raise InvalidAudienceError('Invalid claim format in token')
-            if audience not in audience_claims:
-                raise InvalidAudienceError('Invalid audience')
-        elif audience is not None:
+            self._validate_exp(payload, now, leeway)
+
+        if options.get('verify_iss'):
+            self._validate_iss(payload, issuer)
+
+        if options.get('verify_aud'):
+            self._validate_aud(payload, audience)
+
+    def _validate_iat(self, payload, now, leeway):
+        try:
+            iat = int(payload['iat'])
+        except ValueError:
+            raise DecodeError('Issued At claim (iat) must be an integer.')
+
+        if iat > (now + leeway):
+            raise InvalidIssuedAtError('Issued At claim (iat) cannot be in'
+                                       ' the future.')
+
+    def _validate_nbf(self, payload, now, leeway):
+        try:
+            nbf = int(payload['nbf'])
+        except ValueError:
+            raise DecodeError('Not Before claim (nbf) must be an integer.')
+
+        if nbf > (now + leeway):
+            raise ImmatureSignatureError('The token is not yet valid (nbf)')
+
+    def _validate_exp(self, payload, now, leeway):
+        try:
+            exp = int(payload['exp'])
+        except ValueError:
+            raise DecodeError('Expiration Time claim (exp) must be an'
+                              ' integer.')
+
+        if exp < (now - leeway):
+            raise ExpiredSignatureError('Signature has expired')
+
+    def _validate_aud(self, payload, audience):
+        if audience is None and 'aud' not in payload:
+            return
+
+        if audience is not None and 'aud' not in payload:
             # Application specified an audience, but it could not be
             # verified since the token does not contain a claim.
             raise InvalidAudienceError('No audience claim in token')
 
-        if issuer is not None:
-            if payload.get('iss') != issuer:
-                raise InvalidIssuerError('Invalid issuer')
+        audience_claims = payload['aud']
+
+        if isinstance(audience_claims, string_types):
+            audience_claims = [audience_claims]
+        if not isinstance(audience_claims, list):
+            raise InvalidAudienceError('Invalid claim format in token')
+        if any(not isinstance(c, string_types) for c in audience_claims):
+            raise InvalidAudienceError('Invalid claim format in token')
+        if audience not in audience_claims:
+            raise InvalidAudienceError('Invalid audience')
+
+    def _validate_iss(self, payload, issuer):
+        if issuer is None:
+            return
+
+        if 'iss' not in payload:
+            raise InvalidIssuerError('Token does not contain an iss claim')
+
+        if payload['iss'] != issuer:
+            raise InvalidIssuerError('Invalid issuer')
 
 
 _jwt_global_obj = PyJWT()