From 28f7e685356378d5e1f2c5b7048aa0b1aeef2b78 Mon Sep 17 00:00:00 2001
From: Jonah Schiestle <jonah@cymantix.com>
Date: Thu, 7 Mar 2024 15:23:00 -0500
Subject: [PATCH 1/2] update at_hash check to handle byte or str type returned
 from base64.urlsafe_b64encode

---
 pycognito/__init__.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pycognito/__init__.py b/pycognito/__init__.py
index 2b2d9b2c..5191fd31 100644
--- a/pycognito/__init__.py
+++ b/pycognito/__init__.py
@@ -278,7 +278,11 @@ def verify_token(self, token, id_name, token_use):
         if "at_hash" in verified:
             alg_obj = jwt.get_algorithm_by_name(header["alg"])
             digest = alg_obj.compute_hash_digest(self.access_token)
-            at_hash = base64.urlsafe_b64encode(digest[: (len(digest) // 2)]).rstrip("=")
+            at_hash = base64.urlsafe_b64encode(digest[: (len(digest) // 2)])
+            if isinstance(at_hash, bytes):
+                at_hash = at_hash.rstrip(b"=").decode("utf-8")
+            else:
+                at_hash = at_hash.rstrip("=")
             if at_hash != verified["at_hash"]:
                 raise TokenVerificationException(
                     "at_hash claim does not match access_token."

From e39a0d3cdd06c216ac4ff8fa516ed9a1d7ac78bc Mon Sep 17 00:00:00 2001
From: Jonah Schiestle <jonah@cymantix.com>
Date: Thu, 7 Mar 2024 15:52:22 -0500
Subject: [PATCH 2/2] allow id and access tokens passed as str or bytestr to
 Cognito class instantiation

---
 pycognito/__init__.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pycognito/__init__.py b/pycognito/__init__.py
index 5191fd31..9a7f3c33 100644
--- a/pycognito/__init__.py
+++ b/pycognito/__init__.py
@@ -277,7 +277,10 @@ def verify_token(self, token, id_name, token_use):
         # Compute and verify at_hash (formerly done by python-jose)
         if "at_hash" in verified:
             alg_obj = jwt.get_algorithm_by_name(header["alg"])
-            digest = alg_obj.compute_hash_digest(self.access_token)
+            try:
+                digest = alg_obj.compute_hash_digest(self.access_token)
+            except TypeError:
+                digest = alg_obj.compute_hash_digest(self.access_token.encode("utf-8"))
             at_hash = base64.urlsafe_b64encode(digest[: (len(digest) // 2)])
             if isinstance(at_hash, bytes):
                 at_hash = at_hash.rstrip(b"=").decode("utf-8")