Merge pull request #156 from mark-adams/get-unprotected-header

Added get_unverified_header method to jwt / jws
jpadilla · May 13, 2015 · fdd477a · fdd477a
2 parents 6c9cada + 922940e
commit fdd477a
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 [Unreleased][unreleased]
 -------------------------------------------------------------------------
+### Added
+- Added a new `jwt.get_unverified_header()` to parse and return the header portion of a token prior to signature verification.
 
 [v1.2.0][1.2.0]
 -------------------------------------------------------------------------

diff --git a/jwt/__init__.py b/jwt/__init__.py
@@ -17,7 +17,8 @@
 
 
 from .api_jwt import (
-    encode, decode, register_algorithm, unregister_algorithm, PyJWT
+    encode, decode, register_algorithm, unregister_algorithm,
+    get_unverified_header, PyJWT
 )
 from .api_jws import PyJWS
 from .exceptions import (

diff --git a/jwt/api_jws.py b/jwt/api_jws.py
@@ -119,6 +119,14 @@ def decode(self, jws, key='', verify=True, algorithms=None, options=None,
 
         return payload
 
+    def get_unverified_header(self, jwt):
+        """Returns back the JWT header parameters as a dict()
+
+        Note: The signature is not verified so the header parameters
+        should not be fully trusted until signature verification is complete
+        """
+        return self._load(jwt)[2]
+
     def _load(self, jwt):
         if isinstance(jwt, text_type):
             jwt = jwt.encode('utf-8')
@@ -178,3 +186,4 @@ def _verify_signature(self, payload, signing_input, header, signature,
 decode = _jws_global_obj.decode
 register_algorithm = _jws_global_obj.register_algorithm
 unregister_algorithm = _jws_global_obj.unregister_algorithm
+get_unverified_header = _jws_global_obj.get_unverified_header
diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
@@ -169,3 +169,4 @@ def _validate_iss(self, payload, issuer):
 decode = _jwt_global_obj.decode
 register_algorithm = _jwt_global_obj.register_algorithm
 unregister_algorithm = _jwt_global_obj.unregister_algorithm
+get_unverified_header = _jwt_global_obj.get_unverified_header
diff --git a/tests/test_api_jws.py b/tests/test_api_jws.py
@@ -356,6 +356,15 @@ def test_decode_with_algo_none_and_verify_false_should_pass(self, jws, payload):
         jws_message = jws.encode(payload, key=None, algorithm=None)
         jws.decode(jws_message, verify=False)
 
+    def test_get_unverified_header_returns_header_values(self, jws, payload):
+        jws_message = jws.encode(payload, key='secret', algorithm='HS256',
+                                 headers={'kid': 123})
+
+        header = jws.get_unverified_header(jws_message)
+
+        assert 'kid' in header
+        assert header['kid'] == 123
+
     @pytest.mark.skipif(not has_crypto, reason='Not supported without cryptography library')
     def test_encode_decode_with_rsa_sha256(self, jws, payload):
         # PEM-formatted RSA key