12
113
Fork
You've already forked django-allauth
149

refactor(socialaccount): extract pure decode_id_token helper #4764

Open
bufke wants to merge 1 commit from bufke/django-allauth:refactor-jwtkit-decode-id-token into main
pull from: bufke/django-allauth:refactor-jwtkit-decode-id-token
merge into: allauth:main
allauth:main
allauth:fix/account-middleware-reauth-exc-vs-api
allauth:65.12.x
allauth:65.11.x
allauth:feat/openid-connect-id-token
allauth:fix/phone-vs-social-signup
allauth:65.8.x
allauth:feat/idp
allauth:feat/resend-code-or-change
allauth:fix/phone-signup-conflict
allauth:feat/phone
allauth:fix/headless-email-verification-by-code
allauth:fix/a11y
allauth:feat/facebook-limited-login
allauth:fix/headless-only-connect-reauth
allauth:fix/email-added-vs-code-verification
allauth:feat/login-required-middleware
allauth:0.63.x
allauth:refactor-unique-true-field
allauth:0.62.x
allauth:0.57.x
allauth:0.60.x
allauth:0.55.x
allauth:feat-metamask
Contributor
Copy link

Another io-free function refactor with testing. All it does is wrap the jwt.decode + params into decode_id_token. Not much of a improvement on it's own, but it puts the security related code in a directly testable place. It's preparation to consider things like caching the jwk, OIDC, or the async-fork a-sibling functions without copying security critical code in multiple places. I want to propose this first before anything else. a-prefixes would stay only in my fork.

General

  • Make sure you use semantic commit messages.
    Examples: "fix(google): Fixed foobar bug", "feat(accounts): Added foobar feature".
  • All Python code must formatted using Black, and clean from pep8 and isort issues.
  • JavaScript code should adhere to StandardJS.
  • If your changes are significant, please update ChangeLog.rst.
  • If your change is substantial, feel free to add yourself to AUTHORS.
Another io-free function refactor with testing. All it does is wrap the jwt.decode + params into decode_id_token. Not much of a improvement on it's own, but it puts the security related code in a directly testable place. It's preparation to consider things like caching the jwk, OIDC, or the async-fork a-sibling functions without copying security critical code in multiple places. I want to propose this first before anything else. a-prefixes would stay only in my fork. ## General - [x] Make sure you use [semantic commit messages](https://seesparkbox.com/foundry/semantic_commit_messages). Examples: `"fix(google): Fixed foobar bug"`, `"feat(accounts): Added foobar feature"`. - [x] All Python code must formatted using Black, and clean from pep8 and isort issues. - [ ] JavaScript code should adhere to [StandardJS](https://standardjs.com). - [ ] If your changes are significant, please update `ChangeLog.rst`. - [ ] If your change is substantial, feel free to add yourself to `AUTHORS`.
refactor(socialaccount): extract pure decode_id_token helper
Some checks are pending
ci/woodpecker/pr/woodpecker/1 Pipeline is pending approval
ci/woodpecker/pr/woodpecker/2 Pipeline is pending approval
a972cd7622
Extract the pure JWT signature and iss/aud/exp claim-validation step out
of verify_and_decode into a standalone, module-level decode_id_token
helper. Previously verify_and_decode interleaved network I/O (fetch_key),
the pure jwt.decode call, and cache access (verify_jti) in one body,
which made the security-sensitive claim-validation logic impossible to
exercise in isolation.
decode_id_token takes an already-fetched key and performs no network or
cache access, so it can be unit tested directly with a symmetric-key
token. The try/except that wraps jwt.PyJWTError into OAuth2Error stays in
the caller, so the set of errors that get wrapped (including those raised
by fetch_key) is unchanged. Behavior is identical.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bufke force-pushed refactor-jwtkit-decode-id-token from a972cd7622
Some checks are pending
ci/woodpecker/pr/woodpecker/1 Pipeline is pending approval
ci/woodpecker/pr/woodpecker/2 Pipeline is pending approval
to 7d800dc5e8
Some checks are pending
ci/woodpecker/pr/woodpecker/1 Pipeline is pending approval
ci/woodpecker/pr/woodpecker/2 Pipeline is pending approval
2026年07月08日 19:10:56 +02:00
Compare
Some checks are pending
ci/woodpecker/pr/woodpecker/1 Pipeline is pending approval
ci/woodpecker/pr/woodpecker/2 Pipeline is pending approval
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u refactor-jwtkit-decode-id-token:bufke-refactor-jwtkit-decode-id-token
git switch bufke-refactor-jwtkit-decode-id-token

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff bufke-refactor-jwtkit-decode-id-token
git switch bufke-refactor-jwtkit-decode-id-token
git rebase main
git switch main
git merge --ff-only bufke-refactor-jwtkit-decode-id-token
git switch bufke-refactor-jwtkit-decode-id-token
git rebase main
git switch main
git merge --no-ff bufke-refactor-jwtkit-decode-id-token
git switch main
git merge --squash bufke-refactor-jwtkit-decode-id-token
git switch main
git merge --ff-only bufke-refactor-jwtkit-decode-id-token
git switch main
git merge bufke-refactor-jwtkit-decode-id-token
git push origin main
Sign in to join this conversation.
No reviewers
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
allauth/django-allauth!4764
Reference in a new issue
allauth/django-allauth
No description provided.
Delete branch "bufke/django-allauth:refactor-jwtkit-decode-id-token"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?