SafeSigner.loads() missing required arg, incorrect signature check (breaks sessions)

[Ktechgh]

Hi, thanks for maintaining quart-session!

I found a bug in SafeSigner.loads() that breaks session loading and causes this error:

TypeError: loads() missing 1 required positional argument: 'secret_key'

This happens because:

• the signature is never verified
• json.loads() is called on the raw value
• the signed cookie format is split incorrectly
• no constant-time check is used

Here is the exception I encountered while using MemcachedSessionInterface:, RedisSessionInterface, and
RedisTrioSessionInterface, etc.

Bad signature for sid: <sid>
TypeError: cannot use a string pattern on a bytes-like object

This prevents Quart 0.20.0 apps from saving or loading sessions.

I have included a clean patch (diff) which fixes the problem by correctly calculating the HMAC, validating the signature, and safely decoding JSON.

Thanks for reviewing!

Patch (Fix)

@@ def loads(self, signed_value: str, secret_key: str) -> t.Any:
-        # old broken code here
-        value = json.loads(signed_value)
-        return value
+        try:
+            unsigned_value, sig = signed_value.rsplit(".", 1)
+        except ValueError:
+            raise BadSignature("Malformed signed value")
+
+        expected_sig = hmac.new(
+            secret_key.encode(), unsigned_value.encode(), hashlib.sha256
+        ).hexdigest()
+
+        if not hmac.compare_digest(expected_sig, sig):
+            raise BadSignature("Invalid signature")
+
+        try:
+            return json.loads(unsigned_value)
+        except Exception as exc:
+            raise BadSignature("Invalid JSON payload") from exc