o i}V@sUddlmZddlZddlZddlZddlmZddlmZm Z m Z ddl m Z m Z m Z ddlmZmZmZmZddlmZmZdd lmZmZmZmZmZmZmZmZmZdd lm Z esge!e"d d rddl#Z#e#j$d krwddlm%Z%nddl&m%Z%ddl'm(Z(ddl)m*Z*ddl+m,Z,m-Z-m.Z.e(rddl'm/Z/m0Z0ee/e*e1e2fZ3de4d<ee0e*e1e2fZ5de4d<nee*e1e2fZ3de4d<ee*e1e2fZ5de4d<GdddZ6e6Z7ee7_8e7j9Z9e7j:Z:e7j;Z;dS)) annotationsN)timegm) ContainerIterableSequence)datetime timedeltatimezone) TYPE_CHECKINGAnyUnioncast)PyJWS_jws_global_obj) DecodeErrorExpiredSignatureErrorImmatureSignatureErrorInvalidAudienceErrorInvalidIssuedAtErrorInvalidIssuerErrorInvalidJTIErrorInvalidSubjectErrorMissingRequiredClaimError)RemovedInPyjwt3WarningZ SPHINX_BUILD) ) TypeAlias) has_crypto)PyJWK) FullOptionsOptions SigOptions)AllowedPrivateKeysAllowedPublicKeysrAllowedPrivateKeyTypesAllowedPublicKeyTypesc@seZdZd[d\ddZed]d d Zd^d d Zd[d_ddZ    d`dadd Z  dbdcd"d#Z $        %ddded8d9Z dfd;d<Z $        %dddgd>d?Z    %dhdidBdCZ djdFdGZ d[dkdHdIZdldJdKZdmdNdOZdmdPdQZdmdRdSZdTdUdndWdXZdodYdZZdS)pPyJWTNoptionsOptions | NonereturnNonecCs6|||_|dur|||_t|d|_dS)N)r))_get_default_optionsr)_merge_optionsr_get_sig_options_jwsselfr)r3B/home/app/Keep/.python/lib/python3.10/site-packages/jwt/api_jwt.py__init__1s   zPyJWT.__init__r!c Csddddddddgddd S)NTF) verify_signature verify_exp verify_nbf verify_iat verify_aud verify_iss verify_sub verify_jtirequire strict_audenforce_minimum_key_lengthr3r3r3r3r4r-9szPyJWT._get_default_optionsr#cCs|jd|jdddS)Nr6r@F)r6r@r)get)r2r3r3r4r/Is zPyJWT._get_sig_optionscCs|dur|jS|ddsE|dd|d<|dd|d<|dd|d<|dd|d<|dd|d<|d d|d <|d d|d <i|j|S) Nr6Tr7Fr8r9r:r;r<r=rAr1r3r3r4r.Qs zPyJWT._merge_optionsHS256Tpayloaddict[str, Any]keyr& algorithm str | Noneheadersdict[str, Any] | None json_encodertype[json.JSONEncoder] | None sort_headersboolstrc Cst|ts td|}dD]}t||tr#t||||<qd|vr3t|dts3td|j |||d}|j j ||||||dS)aEncode the ``payload`` as JSON Web Token. :param payload: JWT claims, e.g. ``dict(iss=..., aud=..., sub=...)`` :type payload: dict[str, typing.Any] :param key: a key suitable for the chosen algorithm: * for **asymmetric algorithms**: PEM-formatted private key, a multiline string * for **symmetric algorithms**: plain string, sufficiently long for security :type key: str or bytes or PyJWK or :py:class:`jwt.algorithms.AllowedPrivateKeys` :param algorithm: algorithm to sign the token with, e.g. ``"ES256"``. If ``headers`` includes ``alg``, it will be preferred to this parameter. If ``key`` is a :class:`PyJWK` object, by default the key algorithm will be used. :type algorithm: str or None :param headers: additional JWT header fields, e.g. ``dict(kid="my-key-id")``. :type headers: dict[str, typing.Any] or None :param json_encoder: custom JSON encoder for ``payload`` and ``headers`` :type json_encoder: json.JSONEncoder or None :rtype: str :returns: a JSON Web Token :raises TypeError: if ``payload`` is not a ``dict`` zGExpecting a dict object, as JWT only supports JSON objects as payloads.)expiatnbfisszIssuer (iss) must be a string.)rIrK)rM) isinstancedict TypeErrorcopyrBrr utctimetuplerO_encode_payloadr0encode) r2rDrFrGrIrKrMZ time_claimZ json_payloadr3r3r4rZ`s0 "z PyJWT.encodebytescCstj|d|ddS)z Encode a given payload to the bytes to be signed. This method is intended to be overridden by subclasses that need to encode the payload in a different way, e.g. compress the payload. ),:) separatorsclszutf-8)jsondumpsrZ)r2rDrIrKr3r3r4rYs zPyJWT._encode_payloadrrjwt str | bytesr' algorithmsSequence[str] | Noneverify bool | Nonedetached_payload bytes | Noneaudiencestr | Iterable[str] | Noneissuerstr | Container[str] | Nonesubjectleewayfloat | timedeltakwargsr c Ks| rtjdt| tdd|durd} n|dd} |dur.|| kr.tjdtdd||} d| i}|jj |||||d }| |}|j || ||| | d ||d <|S) u$Identical to ``jwt.decode`` except for return value which is a dictionary containing the token header (JOSE Header), the token payload (JWT Payload), and token signature (JWT Signature) on the keys "header", "payload", and "signature" respectively. :param jwt: the token to be decoded :type jwt: str or bytes :param key: the key suitable for the allowed algorithm :type key: str or bytes or PyJWK or :py:class:`jwt.algorithms.AllowedPublicKeys` :param algorithms: allowed algorithms, e.g. ``["ES256"]`` .. warning:: Do **not** compute the ``algorithms`` parameter based on the ``alg`` from the token itself, or on any other data that an attacker may be able to influence, as that might expose you to various vulnerabilities (see `RFC 8725 §2.1 `_). Instead, either hard-code a fixed value for ``algorithms``, or configure it in the same place you configure the ``key``. Make sure not to mix symmetric and asymmetric algorithms that interpret the ``key`` in different ways (e.g. HS\* and RS\*). :type algorithms: typing.Sequence[str] or None :param jwt.types.Options options: extended decoding and validation options Refer to :py:class:`jwt.types.Options` for more information. :param audience: optional, the value for ``verify_aud`` check :type audience: str or typing.Iterable[str] or None :param issuer: optional, the value for ``verify_iss`` check :type issuer: str or typing.Container[str] or None :param leeway: a time margin in seconds for the expiration check :type leeway: float or datetime.timedelta :rtype: dict[str, typing.Any] :returns: Decoded JWT with the JOSE Header on the key ``header``, the JWS Payload on the key ``payload``, and the JWS Signature on the key ``signature``. zypassing additional kwargs to decode_complete() is deprecated and will be removed in pyjwt version 3. Unsupported kwargs:  stacklevelNTr6zThe `verify` argument to `decode` does nothing in PyJWT 2.0 and newer. The equivalent is setting `verify_signature` to False in the `options` dictionary. This invocation has a mismatch between the kwarg and the option entry.)categoryrt)rFrdr)rh)rjrlrornrD) warningswarntuplekeysrrBDeprecationWarningr.r0decode_complete_decode_payload_validate_claims)r2rbrFrdr)rfrhrjrlrnrorqr6Zmerged_optionsZ sig_optionsdecodedrDr3r3r4r{sL9     zPyJWT.decode_completer~c CsRz t|d}Wnty}ztd||d}~wwt|ts'td|S)a Decode the payload from a JWS dictionary (payload, signature, header). This method is intended to be overridden by subclasses that need to decode the payload in a different way, e.g. decompress compressed payloads. rDzInvalid payload string: Nz-Invalid payload string: must be a json object)r`loads ValueErrorrrTrU)r2r~rDer3r3r4r|"s zPyJWT._decode_payload'AllowedPublicKeys | PyJWK | str | bytesc KsV| rtjdt| tdd|j||||||||| | d } tttt f| dS)uVerify the ``jwt`` token signature and return the token claims. :param jwt: the token to be decoded :type jwt: str or bytes :param key: the key suitable for the allowed algorithm :type key: str or bytes or PyJWK or :py:class:`jwt.algorithms.AllowedPublicKeys` :param algorithms: allowed algorithms, e.g. ``["ES256"]`` If ``key`` is a :class:`PyJWK` object, allowed algorithms will default to the key algorithm. .. warning:: Do **not** compute the ``algorithms`` parameter based on the ``alg`` from the token itself, or on any other data that an attacker may be able to influence, as that might expose you to various vulnerabilities (see `RFC 8725 §2.1 `_). Instead, either hard-code a fixed value for ``algorithms``, or configure it in the same place you configure the ``key``. Make sure not to mix symmetric and asymmetric algorithms that interpret the ``key`` in different ways (e.g. HS\* and RS\*). :type algorithms: typing.Sequence[str] or None :param jwt.types.Options options: extended decoding and validation options Refer to :py:class:`jwt.types.Options` for more information. :param audience: optional, the value for ``verify_aud`` check :type audience: str or typing.Iterable[str] or None :param subject: optional, the value for ``verify_sub`` check :type subject: str or None :param issuer: optional, the value for ``verify_iss`` check :type issuer: str or typing.Container[str] or None :param leeway: a time margin in seconds for the expiration check :type leeway: float or datetime.timedelta :rtype: dict[str, typing.Any] :returns: the JWT claims zppassing additional kwargs to decode() is deprecated and will be removed in pyjwt version 3. Unsupported kwargs: rrrs)rfrhrjrnrlrorD) rvrwrxryrr{r rUrOr ) r2rbrFrdr)rfrhrjrnrlrorqr~r3r3r4decode2s*9  z PyJWT.decodeIterable[str] | str | NoneContainer[str] | str | NonecCst|tr |}|durt|ttfstd|||dtjt j d }d|vr8|dr8| |||d|vrG|drG| |||d|vrV|d rV|||||d r`||||d rp|j|||d d d|drz||||dr||dSdS)Nz+audience must be a string, iterable or Noner>)tzrQr9rRr8rPr7r;r:r?Fstrictr<r=)rTr total_secondsrOrrV_validate_required_claimsrnowr utc timestamp _validate_iat _validate_nbf _validate_exp _validate_iss _validate_audrB _validate_sub _validate_jti)r2rDr)rjrlrnrorr3r3r4r}s.   zPyJWT._validate_claimsclaims Iterable[str]cCs$|D] }||durt|qdSN)rBr)r2rDrZclaimr3r3r4rs zPyJWT._validate_required_claimscCsHd|vrdSt|dtstd|dur |d|kr"tddSdS)z Checks whether "sub" if in the payload is valid or not. This is an Optional claim :param payload(dict): The payload which needs to be validated :param subject(str): The subject of the token subNzSubject must be a stringzInvalid subject)rTrOrrB)r2rDrnr3r3r4rs zPyJWT._validate_subcCs(d|vrdSt|dtstddS)z Checks whether "jti" if in the payload is valid or not This is an Optional claim :param payload(dict): The payload which needs to be validated ZjtiNzJWT ID must be a string)rTrBrOr)r2rDr3r3r4rs zPyJWT._validate_jtirfloatcCBzt|d}Wn tytddw|||krtddS)NrQz)Issued At claim (iat) must be an integer.z The token is not yet valid (iat))intrrr)r2rDrrorQr3r3r4rs  zPyJWT._validate_iatcCr)NrRz*Not Before claim (nbf) must be an integer.z The token is not yet valid (nbf))rrrr)r2rDrrorRr3r3r4rs   zPyJWT._validate_nbfcCsBzt|d}Wn tytddw|||krtddS)NrPz/Expiration Time claim (exp) must be an integer.zSignature has expired)rrrr)r2rDrrorPr3r3r4rs  zPyJWT._validate_expFrrcs|durd|vs |dsdStdd|vs|dstd|d|r@t|ts-tdtts6td|kr>tddSttrHgttsQtdtddDr^tdt|trf|g}tfd d|Drutd dS) NaudzInvalid audiencezInvalid audience (strict)z&Invalid claim format in token (strict)zAudience doesn't match (strict)zInvalid claim format in tokencss|] }t|t VqdSr)rTrO).0cr3r3r4 -sz&PyJWT._validate_aud..c3s|]}|vVqdSrr3)rrZaudience_claimsr3r4r3szAudience doesn't match)rrrTrOlistanyall)r2rDrjrr3rr4rs4     zPyJWT._validate_audcCs|durdSd|vrtd|d}t|tstdt|tr*||kr(tddSz ||vr3tdWdStyAtddw)NrSz%Payload Issuer (iss) must be a stringzInvalid issuerz.Issuer param must be "str" or "Container[str]")rrTrOrrV)r2rDrlrSr3r3r4r6s,   zPyJWT._validate_issr)r)r*r+r,)r+r!)r+r#)r)r*r+r!)rCNNT)rDrErFr&rGrHrIrJrKrLrMrNr+rO)NN)rDrErIrJrKrLr+r[) rNNNNNNNr)rbrcrFr'rdrer)r*rfrgrhrirjrkrlrmrnrHrorprqr r+rE)r~rEr+rE)rbrcrFrrdrer)r*rfrgrhrirjrkrnrHrlrmrorprqr r+rE)NNNr)rDrEr)r!rjrrlrrnrHrorpr+r,)rDrErrr+r,)rDrErnrHr+r,)rDrEr+r,)rDrErrrorr+r,)rDrErjrkrrNr+r,)rDrErlrr+r,)__name__ __module__ __qualname__r5 staticmethodr-r/r.rZrYr{r|rr}rrrrrrrrr3r3r3r4r(0sd     E  n S *    2r()< __future__rr`osrvcalendarrcollections.abcrrrrrr typingr r r r Zapi_jwsrr exceptionsrrrrrrrrrrrNgetenvsys version_inforZtyping_extensionsrdrZapi_jwkr typesr!r"r#r$r%rOr[r&__annotations__r'r(Z_jwt_global_objr0rZr{rr3r3r3r4sF ,     $