fix(PyJWT): set default strengthened claim verification requirements (unless overridden by developer)

spawn-guy · spawn-guy · commit 1a97f613b292 · 2024-09-13T11:41:34.000+02:00
diff --git a/src/fastapi_auth0/auth.py b/src/fastapi_auth0/auth.py
@@ -88,6 +88,12 @@ def __init__(self, domain: str, api_audience: str, scopes: Dict[str, str]={},
             scopes=scopes)
         self.oidc_scheme = OpenIdConnect(openIdConnectUrl=f'https://{domain}/.well-known/openid-configuration')
         self.options = options or dict()
+        self.options.setdefault("verify_signature", True)
+        self.options.setdefault("verify_aud", True)
+        self.options.setdefault("verify_iss", True)
+        self.options.setdefault("verify_exp", True)
+        self.options.setdefault("verify_iat", True)
+        self.options.setdefault("require", ["iss", "sub", "aud", "iat", "exp"])
         self.jwks_client = jwt.PyJWKClient(f"https://{self.domain}/.well-known/jwks.json")
 
 
@@ -129,7 +135,6 @@ async def get_user(self,
                 signing_key = self.jwks_client.get_signing_key_from_jwt(token)
                 options = self.options.copy()
                 leeway = options.pop("leeway", 0)
-                options.setdefault("require", ["iss", "sub", "aud", "iat", "exp"])
                 payload = jwt.decode(
                     token,
                     signing_key.key,
