Add base exception for invalid tokens #60
Conversation
|
@wbolster hmmm debating this one, haven't come across the need. @mark-adams since you seem to be using this library recently, any thoughts? Update: I really don't mind merging this in, but just want to make sure before we add another exception class here. |
|
I could definitely see the use in being able to capture any type of JWT-related exception by using the base class and since it doesn't change the API in any significant way, I don't see any problem with it. I don't have a specific use-case for it, but I don't think it clutters things very much either. I can picture someone wishing to handle all of the JWT-related exceptions in the same way while wanting to handle any other exceptions in a different manner. For the record though, I haven't run into a need for this either, but I don't have anything against it. I do have a problem with the naming however. PEP 8 says that exception names should usually end in |
|
A bit more about the rationale: since JWT is used to convey authorizations, a general way to handle "hey, this jwt should be rejected" is really useful. Expired tokens, corrupted tokens, wrong signatures, wrong audience, wrong publisher, wrong whatever; they all mean the JWT should be rejected. A base exception that covers all of these solves this. This general "rejection" exception would be used by code that checks whether a client is authorised to make a certain HTTP request for instance, since that code doesn't care about the exact reason. Re. API 'cluttering'; my opinion is that is actually avoiding any clutter. Right now application code has to catch multiple exceptions, and if it forgets to handle one, the application would crash if those exceptions happen later on. Especially for security APIs, a fool-proof and simple way for applications to handle "hey this is not allowed" is very important. Re. the naming: I agree that exception names should usually have |
|
@wbolster sounds good. It's a bit late to fix the naming on the older exceptions, so let's leave those as they are for now and correctly name the new one. I like |
|
Okay, renamed to |
|
@wbolster I understand your rationale completely and agree with it all (which is why I can't find any problems with it). I agree with your thoughts on the naming as well. I looked at a couple of other libraries and it looks like using a base exception for functional purposes (InvalidTokenError) is much more common than organizationally with a name like JWTError. My choice of name was purely based on gut; but my gut now tells me yours is better. :-) @jpadilla What do you think about changing the real names of the existing exceptions to have |
|
Seems like our comments crossed mid-air, @mark-adams :) Let me know if you want me to rename the other exceptions as well (with aliases for compatibility, but is this pyjwt version already stable API? :)) |
|
I've been wanting to hit 1.0 already for a while now, since I'm pretty sure we already have a pretty solid and stable API, but I've been holding off with the latest "influx" of contributions. Could we set Makes sense? |
|
I can't think of a way to use |
|
Btw, I think the README should be updated to reflect that the |
|
I'd suggest making a decorator (something like this) to wrap those errors and have the decorator call warnings.warn("This exception has been deprecated", DeprecationWarning) before the actual function is invoked. That seems like a pretty sane idea. :-) Also, I'm not sure about the statement that " In the case of the README, I think the simplest base case for JWT failure is testing to see if the signature is good or bad and that is what the documentation is showing. I do think it wouldn't be a bad idea for us to add docstrings to the errors to explain what each one of them is for but that probably can be something separate from this. |
|
Regarding the Agree with @mark-adams and the README. Also adding docstrings to those exceptions is also a good idea, but that can be managed out of this PR as well. |
|
The problem with the The problem is that application code that does sth like this: try:
jwt.decode(...)
except jwt.InvalidIssuer:
handle_error()...only mentions the |
|
Re. the "this is likely the error you want" remarks: I think your use case is already a quite specialized one. The most basic use case for JWT would just be API authorizations, and then anything that isn't a valid token should just be blindly rejected. Anything extra is specialization, I'd say. |
|
@wbolster yeah, now I get that. Let's just rename them and keep aliases for compatibility. We'll call it out in the release notes. |
|
@wbolster, That's a really good point about the decorators. This looks good to merge as far as I'm concerned once the last bit with the aliases is in |
|
Okay, I'll update the PR. |
...but keep the old names around as deprecated aliases for backward compatibility.
|
Okay, updated the PR. Please review. |
|
Looks good to me. Thanks @wbolster! |
Add base exception for invalid tokens
Fixes #59.