Refactor JWT validation in SessionService by removing pre-flight algorithm checks and updating error handling. Adjust tests to reflect changes in algorithm validation, specifically for PyJWKClientError.

Dopeamin · Dopeamin · commit 43e4b22ab97a · 2025-06-11T16:05:41.000+02:00
diff --git a/src/corbado_python_sdk/services/implementation/session_service.py b/src/corbado_python_sdk/services/implementation/session_service.py
@@ -1,6 +1,5 @@
 import jwt
 from jwt import (
-    get_unverified_header,          # ← added
     ExpiredSignatureError,
     ImmatureSignatureError,
     InvalidAlgorithmError,
@@ -81,23 +80,6 @@ def validate_token(self, session_token: StrictStr) -> UserEntity:
                 message=ValidationErrorType.CODE_JWT_EMPTY_SESSION_TOKEN.name,
             )
 
-        # ---- pre-flight alg rejection ----
-        try:
-            header = get_unverified_header(session_token)
-        except Exception as err:
-            raise TokenValidationException(
-                error_type=ValidationErrorType.CODE_JWT_GENERAL,
-                message=f"Error parsing JWT header: {session_token}",
-                original_exception=err,
-            )
-        if header.get("alg") not in ALLOWED_ALGS:
-            raise TokenValidationException(
-                error_type=ValidationErrorType.CODE_JWT_INVALID_SIGNATURE,
-                message="Algorithm not allowed",
-                original_exception=InvalidAlgorithmError("Algorithm not allowed"),
-            )
-        # -----------------------------------------
-
         # retrieve signing key
         try:
             signing_key: jwt.PyJWK = self._jwk_client.get_signing_key_from_jwt(token=session_token)
diff --git a/tests/unit/test_session_service.py b/tests/unit/test_session_service.py
@@ -10,6 +10,7 @@
     ImmatureSignatureError,
     InvalidAlgorithmError,
     InvalidSignatureError,
+    PyJWKClientError,
     encode,
 )
 from pydantic import ValidationError
@@ -128,8 +129,8 @@ def _provide_jwts(self):
                 False,
                 """eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6
                 IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.dyt0CoTl4WoVjAHI9Q_CwSKhl6d_9rhM3NrXuJttkao""",
-                InvalidAlgorithmError,
-                "Algorithm not allowed",
+                PyJWKClientError,
+                'Unable to find a signing key that matches: "None"',
             ),
             # Not before (nfb) in future
             (
@@ -183,8 +184,8 @@ def _provide_jwts(self):
             (
                 False,
                 self._generate_jwt(iss="https://auth.acme.com", exp=int(time()) + 100, nbf=int(time()) - 100, algorithm="none"),
-                InvalidAlgorithmError,
-                "Algorithm not allowed",
+                PyJWKClientError,
+                'Unable to find a signing key that matches: "None"',
             ),
             # Success with old Frontend API URL in config (2)
             (
