rspec/rules/S5659/python/how-to-fix-it/python-jose.adoc

== How to fix it in python-jose

=== Code examples

include::../../common/fix/code-rationale-decode.adoc[]

==== Noncompliant code example

[source,python,diff-id=111,diff-type=noncompliant]
----
from jose import jwt

jwt.decode(token, None, options={"verify_signature": False}) # Noncompliant
----

==== Compliant solution

By default, verification is enabled for the methods `decode` and `verify`.

[source,python,diff-id=111,diff-type=compliant]
----
from jose import jwt

jwt.decode(token, key, algorithms=["HS256"])
----

=== How does this work?

include::../../common/fix/decode.adoc[]

=== Going the extra mile

include::../../common/extra-mile/key-storage.adoc[]

include::../../common/extra-mile/key-rotation.adoc[]
Modify rule S5659: Add python-jose (APPSEC-1262) (#3399) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-11-03 15:30:06 +01:00			`== How to fix it in python-jose`

			`=== Code examples`

			`include::../../common/fix/code-rationale-decode.adoc[]`

			`==== Noncompliant code example`

			`[source,python,diff-id=111,diff-type=noncompliant]`
			`----`
			`from jose import jwt`

			`jwt.decode(token, None, options={"verify_signature": False}) # Noncompliant`
			`----`

			`==== Compliant solution`

			By default, verification is enabled for the methods `decode` and `verify`.

			`[source,python,diff-id=111,diff-type=compliant]`
			`----`
			`from jose import jwt`

			`jwt.decode(token, key, algorithms=["HS256"])`
			`----`

			`=== How does this work?`

			`include::../../common/fix/decode.adoc[]`

			`=== Going the extra mile`

			`include::../../common/extra-mile/key-storage.adoc[]`

			`include::../../common/extra-mile/key-rotation.adoc[]`