Drop deprecation warnings

jwt/__init__.py

@@ -9,14 +9,11 @@
 )
 from .exceptions import (
     DecodeError,
-    ExpiredSignature,
     ExpiredSignatureError,
     ImmatureSignatureError,
     InvalidAlgorithmError,
-    InvalidAudience,
     InvalidAudienceError,
     InvalidIssuedAtError,
-    InvalidIssuer,
     InvalidIssuerError,
     InvalidSignatureError,
     InvalidTokenError,
@@ -54,14 +51,11 @@
     "unregister_algorithm",
     # Exceptions
     "DecodeError",
-    "ExpiredSignature",
     "ExpiredSignatureError",
     "ImmatureSignatureError",
     "InvalidAlgorithmError",
-    "InvalidAudience",
     "InvalidAudienceError",
     "InvalidIssuedAtError",
-    "InvalidIssuer",
     "InvalidIssuerError",
     "InvalidSignatureError",
     "InvalidTokenError",

jwt/api_jws.py

@@ -1,6 +1,5 @@
 import binascii
 import json
-import warnings
 from collections.abc import Mapping
 
 from .algorithms import requires_cryptography  # NOQA
@@ -145,24 +144,13 @@ def decode(
         verify_signature = merged_options["verify_signature"]
 
         if verify_signature and not algorithms:
-            warnings.warn(
-                "It is strongly recommended that you pass in a "
-                + 'value for the "algorithms" argument when calling decode(). '
-                + "This argument will be mandatory in a future version.",
-                DeprecationWarning,
-                stacklevel=2,
+            raise DecodeError(
+                'It is required that you pass in a value for the "algorithms" argument when calling decode().'
             )
 
         payload, signing_input, header, signature = self._load(jwt)
 
-        if not verify:
-            warnings.warn(
-                "The verify parameter is deprecated. "
-                "Please use verify_signature in options instead.",
-                DeprecationWarning,
-                stacklevel=2,
-            )
-        elif verify_signature:
+        if verify_signature:
             self._verify_signature(
                 payload, signing_input, header, signature, key, algorithms
             )

jwt/api_jwt.py

@@ -1,5 +1,4 @@
 import json
-import warnings
 from calendar import timegm
 from collections.abc import Iterable, Mapping
 from datetime import datetime, timedelta
@@ -26,7 +25,6 @@
 
 class PyJWT(PyJWS):
     header_type = "JWT"
-    deprecated_requires = ["require_exp", "require_iat", "require_nbf"]
 
     @staticmethod
     def _get_default_options():
@@ -76,29 +74,23 @@ def decode(
         self,
         jwt,  # type: str
         key="",  # type: str
-        verify=True,  # type: bool
         algorithms=None,  # type: List[str]
         options=None,  # type: Dict
         complete=False,  # type: bool
         **kwargs
-    ):
-        # type: (...) -> Dict[str, Any]
-
-        if verify and not algorithms:
-            warnings.warn(
-                "It is strongly recommended that you pass in a "
-                + 'value for the "algorithms" argument when calling decode(). '
-                + "This argument will be mandatory in a future version.",
-                DeprecationWarning,
-                stacklevel=2,
-            )
+    ):  # type: (...) -> Dict[str, Any]
 
         payload, _, _, _ = self._load(jwt)
 
         if options is None:
-            options = {"verify_signature": verify}
+            options = {"verify_signature": True}
         else:
-            options.setdefault("verify_signature", verify)
+            options.setdefault("verify_signature", True)
+
+        if options["verify_signature"] and not algorithms:
+            raise DecodeError(
+                'It is required that you pass in a value for the "algorithms" argument when calling decode().'
+            )
 
         decoded = super().decode(
             jwt,
@@ -119,7 +111,7 @@ def decode(
         if not isinstance(payload, dict):
             raise DecodeError("Invalid payload string: must be a json object")
 
-        if verify:
+        if options["verify_signature"]:
             merged_options = merge_dict(self.options, options)
             self._validate_claims(payload, merged_options, **kwargs)
 
@@ -132,38 +124,11 @@ def decode(
     def _validate_claims(
         self, payload, options, audience=None, issuer=None, leeway=0, **kwargs
     ):
-
-        if "verify_expiration" in kwargs:
-            options["verify_exp"] = kwargs.get("verify_expiration", True)
-            warnings.warn(
-                "The verify_expiration parameter is deprecated. "
-                "Please use verify_exp in options instead.",
-                DeprecationWarning,
-                stacklevel=3,
-            )
-
-        verify_claims = {
-            required
-            for required in self.deprecated_requires
-            if required in options
-        }
-        require_options = options.setdefault("require", [])
-        for opt in verify_claims:
-            opt_claim = opt.split("require_", 1)[1]
-            if options[opt]:
-                require_options.append(opt_claim)
-            warnings.warn(
-                "The {} parameter is deprecated. Please add {} to"
-                " the require list in options instead".format(opt, opt_claim),
-                DeprecationWarning,
-                stacklevel=3,
-            )
-
         if isinstance(leeway, timedelta):
             leeway = leeway.total_seconds()
 
-        if not isinstance(audience, (type(None), Iterable)):
-            raise TypeError("audience must be an iterable or None")
+        if not isinstance(audience, (bytes, str, type(None), Iterable)):
+            raise TypeError("audience must be a string, iterable, or None")
 
         self._validate_required_claims(payload, options)
 

jwt/exceptions.py

@@ -64,9 +64,3 @@ class PyJWKSetError(PyJWTError):
 
 class PyJWKClientError(PyJWTError):
     pass
-
-
-# Compatibility aliases (deprecated)
-ExpiredSignature = ExpiredSignatureError
-InvalidAudience = InvalidAudienceError
-InvalidIssuer = InvalidIssuerError

jwt/jwks_client.py

@@ -59,6 +59,8 @@ def get_signing_key(self, kid):
         return signing_key
 
     def get_signing_key_from_jwt(self, token):
-        unverified = decode_token(token, complete=True, verify=False)
+        unverified = decode_token(
+            token, complete=True, options={"verify_signature": False}
+        )
         header = unverified.get("header")
         return self.get_signing_key(header.get("kid"))

tests/keys/__init__.py

@@ -13,7 +13,7 @@ def decode_value(val):
 
 
 def load_hmac_key():
-    with open(os.path.join(BASE_PATH, "jwk_hmac.json")) as infile:
+    with open(os.path.join(BASE_PATH, "jwk_hmac.json"), "r") as infile:
         keyobj = json.load(infile)
 
     return base64url_decode(force_bytes(keyobj["k"]))
@@ -31,24 +31,26 @@ def load_hmac_key():
 if has_crypto:
 
     def load_rsa_key():
-        with open(os.path.join(BASE_PATH, "jwk_rsa_key.json")) as infile:
+        with open(os.path.join(BASE_PATH, "jwk_rsa_key.json"), "r") as infile:
             return RSAAlgorithm.from_jwk(infile.read())
 
     def load_rsa_pub_key():
-        with open(os.path.join(BASE_PATH, "jwk_rsa_pub.json")) as infile:
+        with open(os.path.join(BASE_PATH, "jwk_rsa_pub.json"), "r") as infile:
             return RSAAlgorithm.from_jwk(infile.read())
 
     def load_ec_key():
-        with open(os.path.join(BASE_PATH, "jwk_ec_key.json")) as infile:
+        with open(os.path.join(BASE_PATH, "jwk_ec_key.json"), "r") as infile:
             keyobj = json.load(infile)
 
         return ec.EllipticCurvePrivateNumbers(
             private_value=decode_value(keyobj["d"]),
-            public_numbers=load_ec_pub_key().public_numbers(),
+            public_numbers=load_ec_pub_key_p_521().public_numbers(),
         )
 
-    def load_ec_pub_key():
-        with open(os.path.join(BASE_PATH, "jwk_ec_pub.json")) as infile:
+    def load_ec_pub_key_p_521():
+        with open(
+            os.path.join(BASE_PATH, "jwk_ec_pub_P-521.json"), "r"
+        ) as infile:
             keyobj = json.load(infile)
 
         return ec.EllipticCurvePublicNumbers(

tests/keys/jwk_ec_pub_P-521.json

@@ -0,0 +1,7 @@
+{
+  "kty": "EC",
+  "kid": "[email protected]",
+  "crv": "P-521",
+  "x": "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3v13nmGZx6sYl_oJXu9A5RkTKqjqvjyekWF-7ytDyRXYgCF5cj0Kt",
+  "y": "AdymlHvOiLxXkEhayXQnNCvDX4h9htZaCJN34kfmC6pV5OhQHiraVySsUdaQkAgDPrwQrJmbnX9cwlGfP-HqHZR1"
+}

tests/keys/testkey_ec.priv

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2nninfu2jMHDwAbn
+9oERUhRADS6duQaJEadybLaa0YShRANCAAQfMBxRZKUYEdy5/fLdGI2tYj6kTr50
+PZPt8jOD23rAR7dhtNpG1ojqopmH0AH5wEXadgk8nLCT4cAPK59Qp9Ek
+-----END PRIVATE KEY-----

tests/keys/testkey_ec.pub

@@ -1,6 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBWcJwPEAnS/k4kFgUhxNF7J0SQQhZ
-G+nNgy+/mXwhQ5PZIUmId1a1TjkNXiKzv6DpttBqduHbz/V0EtH+QfWy0B4BhZ5M
-nTyDGjcz1DQqKdexebhzobbhSIZjpYd5aU48o9rXp/OnAnrajddpGsJ0bNf4rtML
-BqFYJN6LOslAB7xTBRg=
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHzAcUWSlGBHcuf3y3RiNrWI+pE6+
+dD2T7fIzg9t6wEe3YbTaRtaI6qKZh9AB+cBF2nYJPJywk+HADyufUKfRJA==
 -----END PUBLIC KEY-----

tests/keys/testkey_ec_ssh.pub

@@ -1 +1 @@
-ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFZwnA8QCdL+TiQWBSHE0XsnRJBCFkb6c2DL7+ZfCFDk9khSYh3VrVOOQ1eIrO/oOm20Gp24dvP9XQS0f5B9bLQHgGFnkydPIMaNzPUNCop17F5uHOhtuFIhmOlh3lpTjyj2ten86cCetqN12kawnRs1/iu0wsGoVgk3os6yUAHvFMFGA==
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB8wHFFkpRgR3Ln98t0Yja1iPqROvnQ9k+3yM4PbesBHt2G02kbWiOqimYfQAfnARdp2CTycsJPhwA8rn1Cn0SQ=