Merge pull request #67 from web-push-libs/feat/79

feat: Deep copy the claims before fixup

Author: jrconlin

python/py_vapid/__init__.py

@@ -7,6 +7,7 @@
 import binascii
 import time
 import re
+import copy
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import ec, utils as ecutils
@@ -254,23 +255,24 @@ def verify_token(self, validation_token, verification_token):
             return False
 
     def _base_sign(self, claims):
-        if not claims.get('exp'):
-            claims['exp'] = str(int(time.time()) + 86400)
+        cclaims = copy.deepcopy(claims)
+        if not cclaims.get('exp'):
+            cclaims['exp'] = str(int(time.time()) + 86400)
         if not re.match("mailto:.+@.+\..+",
-                        claims.get('sub', ''),
+                        cclaims.get('sub', ''),
                         re.IGNORECASE):
             raise VapidException(
                 "Missing 'sub' from claims. "
                 "'sub' is your admin email as a mailto: link.")
         if not re.match("^https?:\/\/[^\/\.:]+\.[^\/:]+(:\d+)?$",
-                        claims.get("aud", ""),
+                        cclaims.get("aud", ""),
                         re.IGNORECASE):
             raise VapidException(
                 "Missing 'aud' from claims. "
                 "'aud' is the scheme, host and optional port for this "
                 "transaction e.g. https://example.com:8080")
 
-        return claims
+        return cclaims
 
     def sign(self, claims, crypto_key=None):
         """Sign a set of claims.
@@ -284,8 +286,7 @@ def sign(self, claims, crypto_key=None):
         :rtype: dict
 
         """
-        claims = self._base_sign(claims)
-        sig = sign(claims, self.private_key)
+        sig = sign(self._base_sign(claims), self.private_key)
         pkey = 'p256ecdsa='
         pkey += b64urlencode(
             self.public_key.public_numbers().encode_point())
@@ -307,8 +308,7 @@ class Vapid02(Vapid01):
     _schema = "vapid"
 
     def sign(self, claims, crypto_key=None):
-        claims = self._base_sign(claims)
-        sig = sign(claims, self.private_key)
+        sig = sign(self._base_sign(claims), self.private_key)
         pkey = self.public_key.public_numbers().encode_point()
         return{
             "Authorization": "{schema} t={t},k={k}".format(

python/py_vapid/tests/test_vapid.py

@@ -1,5 +1,6 @@
 import binascii
 import base64
+import copy
 import os
 import json
 import unittest
@@ -139,7 +140,8 @@ def test_sign_01(self):
             v.public_key.public_numbers().encode_point()
         ).decode('utf8').replace('+', '-').replace('/', '_').strip()
         items = decode(result['Authorization'].split(' ')[1], pkey)
-        eq_(items, claims)
+        for k in claims:
+            eq_(items[k], claims[k])
         result = v.sign(claims)
         eq_(result['Crypto-Key'],
             'p256ecdsa=' + T_PUBLIC_RAW.decode('utf8'))
@@ -155,6 +157,7 @@ def test_sign_02(self):
         claims = {"aud": "https://example.com",
                   "sub": "mailto:[email protected]",
                   "foo": "extra value"}
+        claim_check = copy.deepcopy(claims)
         result = v.sign(claims, "id=previous")
         auth = result['Authorization']
         eq_(auth[:6], 'vapid ')
@@ -168,6 +171,7 @@ def test_sign_02(self):
         k_val = binascii.a2b_base64(self.repad(parts[1][2:]))
         eq_(binascii.hexlify(k_val)[:2], b'04')
         eq_(len(k_val), 65)
+        eq_(claims, claim_check)
         for k in claims:
             eq_(t_val[k], claims[k])
 

python/setup.py

@@ -3,7 +3,7 @@
 
 from setuptools import setup, find_packages
 
-__version__ = "1.3.1"
+__version__ = "1.4.0"
 
 
 def read_from(file):