PyJWT.decode_complete() method changing provided options object #679
Description
PyJWT.decode_complete() method changing provided options object instead of working with copy or something similar
Expected Result
decode_jwt_options = {
'verify_signature': False,
'verify_aud': False,
}
Actual Result
decode_jwt_options = {
'verify_signature': False,
'verify_aud': False,
'verify_exp': False,
'verify_nbf': False,
'verify_iat': False,
'verify_iss': False
}
Fragment from api_jwt.py
def decode_complete(
self,
jwt: str,
key: str = "",
algorithms: List[str] = None,
options: Dict = None,
**kwargs,
) -> Dict[str, Any]:
# overriding original object section start
if options is None:
options = {"verify_signature": True}
else:
options.setdefault("verify_signature", True)
if not options["verify_signature"]:
options.setdefault("verify_exp", False)
options.setdefault("verify_nbf", False)
options.setdefault("verify_iat", False)
options.setdefault("verify_aud", False)
options.setdefault("verify_iss", False)
# overriding original object section end
if options["verify_signature"] and not algorithms:
raise DecodeError(
'It is required that you pass in a value for the "algorithms" argument when calling decode().'
)
decoded = api_jws.decode_complete(
jwt,
key=key,
algorithms=algorithms,
options=options,
**kwargs,
)
try:
payload = json.loads(decoded["payload"])
except ValueError as e:
raise DecodeError("Invalid payload string: %s" % e)
if not isinstance(payload, dict):
raise DecodeError("Invalid payload string: must be a json object")
merged_options = {**self.options, **options}
self._validate_claims(payload, merged_options, **kwargs)
decoded["payload"] = payload
return decoded
Reproduction Steps
import jwt
payload = {'some': 'payload'}
key = 'secret'
alg = 'HS256'
algs = ['RS256', 'HS256']
jwt_options = {
'verify_signature': False,
'verify_aud': False,
}
token = jwt.encode(payload=payload, key=key, algorithm=alg)
print(token)
decoded = jwt.decode(jwt=token, key=key, algorithms=algs, options=jwt_options)
print(jwt_options)}
print(decoded)