andre/crewAI
1
0
Fork 0
mirror of https://github.com/crewAIInc/crewAI.git synced 2026-01-26 16:48:13 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

fix: add a leeway of 10s when decoding jwt (#3698)

Browse Source
This commit is contained in:
Heitor Carvalho
2025-10-13 12:42:03 -03:00
committed by GitHub
parent 7b550ebfe8
commit 2ebb2e845f
2 changed files with 19 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/crewai/cli/authentication/utils.py
View File

@@ -30,6 +30,7 @@ def validate_jwt_token(
algorithms=["RS256"], algorithms=["RS256"],
audience=audience, audience=audience,
issuer=issuer, issuer=issuer,
leeway=10.0,
options={ options={
"verify_signature": True, "verify_signature": True,
"verify_exp": True, "verify_exp": True,

33
tests/cli/authentication/test_utils.py
View File

@@ -1,7 +1,7 @@
import jwt
import unittest import unittest
from unittest.mock import MagicMock, patch from unittest.mock import MagicMock, patch
import jwt
from crewai.cli.authentication.utils import validate_jwt_token from crewai.cli.authentication.utils import validate_jwt_token
@@ -17,19 +17,22 @@ class TestUtils(unittest.TestCase):
key="mock_signing_key" key="mock_signing_key"
) )
jwt_token = "aaaaa.bbbbbb.cccccc" # noqa: S105
decoded_token = validate_jwt_token( decoded_token = validate_jwt_token(
jwt_token="aaaaa.bbbbbb.cccccc", jwt_token=jwt_token,
jwks_url="https://mock_jwks_url", jwks_url="https://mock_jwks_url",
issuer="https://mock_issuer", issuer="https://mock_issuer",
audience="app_id_xxxx", audience="app_id_xxxx",
) )
mock_jwt.decode.assert_called_with( mock_jwt.decode.assert_called_with(
"aaaaa.bbbbbb.cccccc", jwt_token,
"mock_signing_key", "mock_signing_key",
algorithms=["RS256"], algorithms=["RS256"],
audience="app_id_xxxx", audience="app_id_xxxx",
issuer="https://mock_issuer", issuer="https://mock_issuer",
leeway=10.0,
options={ options={
"verify_signature": True, "verify_signature": True,
"verify_exp": True, "verify_exp": True,
@@ -43,9 +46,9 @@ class TestUtils(unittest.TestCase):
def test_validate_jwt_token_expired(self, mock_jwt, mock_pyjwkclient): def test_validate_jwt_token_expired(self, mock_jwt, mock_pyjwkclient):
mock_jwt.decode.side_effect = jwt.ExpiredSignatureError mock_jwt.decode.side_effect = jwt.ExpiredSignatureError
with self.assertRaises(Exception): with self.assertRaises(Exception): # noqa: B017
validate_jwt_token( validate_jwt_token(
jwt_token="aaaaa.bbbbbb.cccccc", jwt_token="aaaaa.bbbbbb.cccccc", # noqa: S106
jwks_url="https://mock_jwks_url", jwks_url="https://mock_jwks_url",
issuer="https://mock_issuer", issuer="https://mock_issuer",
audience="app_id_xxxx", audience="app_id_xxxx",
@@ -53,9 +56,9 @@ class TestUtils(unittest.TestCase):
def test_validate_jwt_token_invalid_audience(self, mock_jwt, mock_pyjwkclient): def test_validate_jwt_token_invalid_audience(self, mock_jwt, mock_pyjwkclient):
mock_jwt.decode.side_effect = jwt.InvalidAudienceError mock_jwt.decode.side_effect = jwt.InvalidAudienceError
with self.assertRaises(Exception): with self.assertRaises(Exception): # noqa: B017
validate_jwt_token( validate_jwt_token(
jwt_token="aaaaa.bbbbbb.cccccc", jwt_token="aaaaa.bbbbbb.cccccc", # noqa: S106
jwks_url="https://mock_jwks_url", jwks_url="https://mock_jwks_url",
issuer="https://mock_issuer", issuer="https://mock_issuer",
audience="app_id_xxxx", audience="app_id_xxxx",
@@ -63,9 +66,9 @@ class TestUtils(unittest.TestCase):
def test_validate_jwt_token_invalid_issuer(self, mock_jwt, mock_pyjwkclient): def test_validate_jwt_token_invalid_issuer(self, mock_jwt, mock_pyjwkclient):
mock_jwt.decode.side_effect = jwt.InvalidIssuerError mock_jwt.decode.side_effect = jwt.InvalidIssuerError
with self.assertRaises(Exception): with self.assertRaises(Exception): # noqa: B017
validate_jwt_token( validate_jwt_token(
jwt_token="aaaaa.bbbbbb.cccccc", jwt_token="aaaaa.bbbbbb.cccccc", # noqa: S106
jwks_url="https://mock_jwks_url", jwks_url="https://mock_jwks_url",
issuer="https://mock_issuer", issuer="https://mock_issuer",
audience="app_id_xxxx", audience="app_id_xxxx",
@@ -75,9 +78,9 @@ class TestUtils(unittest.TestCase):
self, mock_jwt, mock_pyjwkclient self, mock_jwt, mock_pyjwkclient
): ):
mock_jwt.decode.side_effect = jwt.MissingRequiredClaimError mock_jwt.decode.side_effect = jwt.MissingRequiredClaimError
with self.assertRaises(Exception): with self.assertRaises(Exception): # noqa: B017
validate_jwt_token( validate_jwt_token(
jwt_token="aaaaa.bbbbbb.cccccc", jwt_token="aaaaa.bbbbbb.cccccc", # noqa: S106
jwks_url="https://mock_jwks_url", jwks_url="https://mock_jwks_url",
issuer="https://mock_issuer", issuer="https://mock_issuer",
audience="app_id_xxxx", audience="app_id_xxxx",
@@ -85,9 +88,9 @@ class TestUtils(unittest.TestCase):
def test_validate_jwt_token_jwks_error(self, mock_jwt, mock_pyjwkclient): def test_validate_jwt_token_jwks_error(self, mock_jwt, mock_pyjwkclient):
mock_jwt.decode.side_effect = jwt.exceptions.PyJWKClientError mock_jwt.decode.side_effect = jwt.exceptions.PyJWKClientError
with self.assertRaises(Exception): with self.assertRaises(Exception): # noqa: B017
validate_jwt_token( validate_jwt_token(
jwt_token="aaaaa.bbbbbb.cccccc", jwt_token="aaaaa.bbbbbb.cccccc", # noqa: S106
jwks_url="https://mock_jwks_url", jwks_url="https://mock_jwks_url",
issuer="https://mock_issuer", issuer="https://mock_issuer",
audience="app_id_xxxx", audience="app_id_xxxx",
@@ -95,9 +98,9 @@ class TestUtils(unittest.TestCase):
def test_validate_jwt_token_invalid_token(self, mock_jwt, mock_pyjwkclient): def test_validate_jwt_token_invalid_token(self, mock_jwt, mock_pyjwkclient):
mock_jwt.decode.side_effect = jwt.InvalidTokenError mock_jwt.decode.side_effect = jwt.InvalidTokenError
with self.assertRaises(Exception): with self.assertRaises(Exception): # noqa: B017
validate_jwt_token( validate_jwt_token(
jwt_token="aaaaa.bbbbbb.cccccc", jwt_token="aaaaa.bbbbbb.cccccc", # noqa: S106
jwks_url="https://mock_jwks_url", jwks_url="https://mock_jwks_url",
issuer="https://mock_issuer", issuer="https://mock_issuer",
audience="app_id_xxxx", audience="app_id_xxxx",