Add option to provide current time when decoding JWT #267

ZipFile · 2021-07-04T20:16:01Z

Makes possible to fake a time without using freezegun:freeze_time or unittest.mock:patch. Less monkey patching == better code.
Makes possible to reuse current time fetched elsewhere (e.g. from request).

codecov · 2021-07-04T22:33:20Z

Codecov Report

Merging #267 (7a66496) into master (be8e914) will not change coverage.
The diff coverage is 100.00%.

❗ Current head 7a66496 differs from pull request most recent head 9667b78. Consider uploading reports for the commit 9667b78 to get more accurate results

@@           Coverage Diff           @@
##           master     #267   +/-   ##
=======================================
  Coverage   92.94%   92.94%           
=======================================
  Files          15       15           
  Lines        1418     1418           
=======================================
  Hits         1318     1318           
  Misses        100      100

Impacted Files	Coverage Δ
jose/jwt.py	`98.01% <100.00%> (ø)`

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update be8e914...9667b78. Read the comment docs.

blag

Dependency injection to ease testing? 👍
Dependency injection to improve usability? 👍
Code churn for no discernible reason? 👎

If you have a good reason for prepending the now parameter like you did, I'll definitely consider it, but I haven't seen a good reason for it yet. Please point me to it if I missed it. 😅

jose/jwt.py

blag · 2021-07-04T22:42:42Z

jose/jwt.py

@@ -455,7 +459,7 @@ def _validate_at_hash(claims, access_token, algorithm):
        raise JWTClaimsError("at_hash claim does not match access_token.")


-def _validate_claims(claims, audience=None, issuer=None, subject=None, algorithm=None, access_token=None, options=None):
+def _validate_claims(now, claims, audience=None, issuer=None, subject=None, algorithm=None, access_token=None, options=None):


Why change the function signature? Wouldn't it be easier to append now=None to the end of the parameter list and keep the function signature the same? And then use

now = now or datetime.utcnow()

to default to datetime.utcnow(), just in case anybody is using these private methods.

I realize that they're private methods, and people are signing up to keep their code up-to-date when they use these private methods, but there's no point in code churn without a good reason.

It was not part of the public API (this particular function does not even have docstring to serve as a documentation), so there was no hesitation to change the signature. Making now (required) positional argument better states the intention to me.

Either way, updated.

blag suggested changes Jul 4, 2021

View reviewed changes

Add option to provide current time when decoding JWT

9667b78

ZipFile force-pushed the current-time-provisioning branch from 7a66496 to 9667b78 Compare July 5, 2021 06:19

ZipFile requested a review from blag July 6, 2021 06:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add option to provide current time when decoding JWT #267

Add option to provide current time when decoding JWT #267

ZipFile commented Jul 4, 2021

codecov bot commented Jul 4, 2021 •

edited

blag left a comment

blag Jul 4, 2021

ZipFile Jul 5, 2021

Add option to provide current time when decoding JWT #267

Are you sure you want to change the base?

Add option to provide current time when decoding JWT #267

Conversation

ZipFile commented Jul 4, 2021

codecov bot commented Jul 4, 2021 • edited

Codecov Report

blag left a comment

Choose a reason for hiding this comment

blag Jul 4, 2021

Choose a reason for hiding this comment

ZipFile Jul 5, 2021

Choose a reason for hiding this comment

codecov bot commented Jul 4, 2021 •

edited