From a4a88251c37cd8cb227b304a5abf17033b31e3be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathan=20H=C3=BCsken?= Date: Mon, 3 Jun 2024 09:47:16 +0200 Subject: [PATCH] Throw TokenVerifificationError if the key ID is not known by cognito --- pycognito/__init__.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/pycognito/__init__.py b/pycognito/__init__.py index bd28318a..692fee1b 100644 --- a/pycognito/__init__.py +++ b/pycognito/__init__.py @@ -233,7 +233,10 @@ def get_keys(self): def get_key(self, kid): keys = self.get_keys().get("keys") key = list(filter(lambda x: x.get("kid") == kid, keys)) - return key[0] + if len(key) > 0: + return key[0] + else: + return None def verify_tokens(self): """ @@ -249,7 +252,12 @@ def verify_token(self, token, id_name, token_use): # https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html kid = jwt.get_unverified_header(token).get("kid") - hmac_key = jwt.api_jwk.PyJWK(self.get_key(kid)).key + key = self.get_key(kid) + if key is None: + raise TokenVerificationException( + f"Your {id_name!r} token could not be verified (key with ID {kid} not found)." + ) + hmac_key = jwt.api_jwk.PyJWK(key).key required_claims = (["aud"] if token_use != "access" else []) + ["iss", "exp"] try: decoded = jwt.api_jwt.decode_complete(