37 lines
673 B
Plaintext
37 lines
673 B
Plaintext
== How to fix it in PyJWT
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale-decode.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,python,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
import jwt
|
|
|
|
jwt.decode(token, options={"verify_signature":False}) # Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
By default, verification is enabled for the method `decode`.
|
|
|
|
[source,python,diff-id=1,diff-type=compliant]
|
|
----
|
|
import jwt
|
|
|
|
jwt.decode(token, key, algorithms="HS256")
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/decode.adoc[]
|
|
|
|
=== Going the extra mile
|
|
|
|
include::../../common/extra-mile/key-storage.adoc[]
|
|
|
|
include::../../common/extra-mile/key-rotation.adoc[]
|
|
|