(tooling-trusted-release) branch main updated: Do not verify a JWT header, strictly when debugging the JWT itself

Thu, 14 Aug 2025 11:24:50 -0700 

This is an automated email from the ASF dual-hosted git repository.

sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-release.git


The following commit(s) were added to refs/heads/main by this push:
     new cc3c4d6  Do not verify a JWT header, strictly when debugging the JWT 
itself
cc3c4d6 is described below

commit cc3c4d6c1fac54ee28d1f14569591b22f9b7baee
Author: Sean B. Palmer <[email protected]>
AuthorDate: Thu Aug 14 19:23:38 2025 +0100

    Do not verify a JWT header, strictly when debugging the JWT itself
---
 atr/blueprints/api/api.py | 6 +++---
 atr/jwtoken.py            | 6 ++----
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/atr/blueprints/api/api.py b/atr/blueprints/api/api.py
index fc2eda1..2bec872 100644
--- a/atr/blueprints/api/api.py
+++ b/atr/blueprints/api/api.py
@@ -360,9 +360,9 @@ async def jwt_github(data: models.api.JwtGithubArgs) -> 
DictResponse:
     The payload must include a valid GitHub OIDC JWT.
     """
     # TODO: This is a placeholder for the actual implementation
-    unverified_payload = jwtoken.rs256_unverified_payload(data.jwt)
-    unverified_payload_json = json.dumps(unverified_payload).encode("utf-8")
-    log.secret("GitHub OIDC JWT payload", unverified_payload_json)
+    unverified_header_and_payload = 
jwtoken.unverified_header_and_payload(data.jwt)
+    unverified_header_and_payload_json = 
json.dumps(unverified_header_and_payload).encode("utf-8")
+    log.secret("GitHub OIDC JWT header and payload", 
unverified_header_and_payload_json)
 
     return models.api.JwtGithubResults(
         endpoint="/jwt/github",
diff --git a/atr/jwtoken.py b/atr/jwtoken.py
index d90aae7..eb2857f 100644
--- a/atr/jwtoken.py
+++ b/atr/jwtoken.py
@@ -61,17 +61,15 @@ def require[**P, R](func: Callable[P, Coroutine[Any, Any, 
R]]) -> Callable[P, Aw
     return wrapper
 
 
-def rs256_unverified_payload(jwt_value: str) -> dict[str, Any]:
+def unverified_header_and_payload(jwt_value: str) -> dict[str, Any]:
     header = jwt.get_unverified_header(jwt_value)
-    if header != {"alg": "RS256", "typ": "JWT"}:
-        raise RuntimeError("Invalid JWT header.")
 
     try:
         payload = jwt.decode(jwt_value, options={"verify_signature": False})
     except jwt.PyJWTError as e:
         raise RuntimeError(f"Failed to decode JWT: {e}") from e
 
-    return payload
+    return {"header": header, "payload": payload}
 
 
 def verify(token: str) -> dict[str, Any]:


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to