Merge branch 'master' into klenotiw/add-stale-and-waiting-workflows

klenotiw · web-flow · commit a9cc756cf031 · 2022-10-18T15:17:57.000-04:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,7 +6,7 @@ jobs:
     name: Python ${{ matrix.version }}
     strategy:
       matrix:
-        version: [3.6, 3.10.0]
+        version: [3.7, 3.10.0]
 
     steps:
       - name: Checkout
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,9 @@
 == Unreleased
 
+== Version 12.0.1
+- Allow up to 10 seconds clock skew to avoid `ImmatureSignatureError`
+([#609](https://github.com/Shopify/shopify_python_api/pull/609))
+
 == Version 12.0.0
 - Update API version with 2022-04 release, remove API version 2021-07 ([#591](https://github.com/Shopify/shopify_python_api/pull/591))
 
diff --git a/shopify/session_token.py b/shopify/session_token.py
@@ -14,6 +14,7 @@
 ALGORITHM = "HS256"
 PREFIX = "Bearer "
 REQUIRED_FIELDS = ["iss", "dest", "sub", "jti", "sid"]
+LEEWAY_SECONDS = 10
 
 
 class SessionTokenError(Exception):
@@ -54,6 +55,9 @@ def _decode_session_token(session_token, api_key, secret):
             secret,
             audience=api_key,
             algorithms=[ALGORITHM],
+            # AppBridge frequently sends future `nbf`, and it causes `ImmatureSignatureError`.
+            # Accept few seconds clock skew to avoid this error.
+            leeway=LEEWAY_SECONDS,
             options={"require": REQUIRED_FIELDS},
         )
     except jwt.exceptions.PyJWTError as exception:
diff --git a/shopify/version.py b/shopify/version.py
@@ -1 +1 @@
-VERSION = "12.0.0"
+VERSION = "12.0.1"
diff --git a/test/session_token_test.py b/test/session_token_test.py
@@ -48,7 +48,7 @@ def test_raises_if_token_authentication_header_is_not_bearer(self):
         self.assertEqual("The HTTP_AUTHORIZATION_HEADER provided does not contain a Bearer token", str(cm.exception))
 
     def test_raises_jwt_error_if_session_token_is_expired(self):
-        self.payload["exp"] = timestamp((datetime.now() + timedelta(0, -10)))
+        self.payload["exp"] = timestamp((datetime.now() + timedelta(0, -11)))
 
         with self.assertRaises(session_token.SessionTokenError) as cm:
             session_token.decode_from_header(self.build_auth_header(), api_key=self.api_key, secret=self.secret)
@@ -103,3 +103,8 @@ def test_returns_decoded_payload(self):
         )
 
         self.assertEqual(self.payload, decoded_payload)
+
+    def test_allow_10_seconds_clock_skew_in_nbf(self):
+        self.payload["nbf"] = timestamp((datetime.now() + timedelta(seconds=10)))
+
+        session_token.decode_from_header(self.build_auth_header(), api_key=self.api_key, secret=self.secret)

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-VERSION = "12.0.0"`
	`1`	`+VERSION = "12.0.1"`