qi}VZUddlmZddlZddlZddlZddlmZddlmZm Z m Z ddl m Z m Z m Z ddlmZmZmZmZddlmZmZdd lmZmZmZmZmZmZmZmZmZdd lm Z ese!ejDd d rwddl#Z#e#jHd k\rddlm%Z%nddl&m%Z%ddl'm(Z(ddl)m*Z*ddl+m,Z,m-Z-m.Z.e(r%ddl'm/Z/m0Z0ee/e*e1e2fZ3de4d<ee0e*e1e2fZ5de4d<nee*e1e2fZ3de4d<ee*e1e2fZ5de4d<GddZ6e6Z7ee7_8e7jrZ9e7jtZ:e7jvZ;y)) annotationsN)timegm) ContainerIterableSequence)datetime timedeltatimezone) TYPE_CHECKINGAnyUnioncast)PyJWS_jws_global_obj) DecodeErrorExpiredSignatureErrorImmatureSignatureErrorInvalidAudienceErrorInvalidIssuedAtErrorInvalidIssuerErrorInvalidJTIErrorInvalidSubjectErrorMissingRequiredClaimError)RemovedInPyjwt3Warning SPHINX_BUILD) ) TypeAlias) has_crypto)PyJWK) FullOptionsOptions SigOptions)AllowedPrivateKeysAllowedPublicKeysr AllowedPrivateKeyTypesAllowedPublicKeyTypesceZdZdddZeddZddZdddZ d ddZ d ddZ d d dZ d!d Z d d"d Z d# d$d Z d%d Z d d&d Zd'dZ d(dZ d(dZ d(dZdd d)dZ d*dZy)+PyJWTNc||j|_||j||_t|j |_y)N)options)_get_default_optionsr-_merge_optionsr_get_sig_options_jwsselfr-s =/opt/pipecat/venv/lib/python3.12/site-packages/jwt/api_jwt.py__init__zPyJWT.__init__1sB 002  ..w7DL$"7"7"9: c ddddddddgddd S)NTF) verify_signature verify_exp verify_nbf verify_iat verify_aud verify_iss verify_sub verify_jtirequire strict_audenforce_minimum_key_lengthrCr6r4r.zPyJWT._get_default_options9s/!%*/  r6cZ|jd|jjdddS)Nr8rBF)r8rBr-get)r3s r4r0zPyJWT._get_sig_optionsIs0 $ -? @*.,,*:*:,e+  r6c| |jS|jdds|jdd|d<|jdd|d<|jdd|d<|jdd|d<|jdd|d<|jd d|d <|jd d|d <i|j|S) Nr8Tr9Fr:r;r<r=r>r?rEr2s r4r/zPyJWT._merge_optionsQs ?<< {{-t4$+KK e$DGL !$+KK e$DGL !$+KK e$DGL !$+KK e$DGL !$+KK e$DGL !$+KK e$DGL !$+KK e$DGL !*$,,*'**r6ct|ts td|j}dD]A}t|j |t s#t ||j||<Cd|vrt|dts td|j|||}|jj||||||S)aEncode the ``payload`` as JSON Web Token. :param payload: JWT claims, e.g. ``dict(iss=..., aud=..., sub=...)`` :type payload: dict[str, typing.Any] :param key: a key suitable for the chosen algorithm: * for **asymmetric algorithms**: PEM-formatted private key, a multiline string * for **symmetric algorithms**: plain string, sufficiently long for security :type key: str or bytes or PyJWK or :py:class:`jwt.algorithms.AllowedPrivateKeys` :param algorithm: algorithm to sign the token with, e.g. ``"ES256"``. If ``headers`` includes ``alg``, it will be preferred to this parameter. If ``key`` is a :class:`PyJWK` object, by default the key algorithm will be used. :type algorithm: str or None :param headers: additional JWT header fields, e.g. ``dict(kid="my-key-id")``. :type headers: dict[str, typing.Any] or None :param json_encoder: custom JSON encoder for ``payload`` and ``headers`` :type json_encoder: json.JSONEncoder or None :rtype: str :returns: a JSON Web Token :raises TypeError: if ``payload`` is not a ``dict`` zGExpecting a dict object, as JWT only supports JSON objects as payloads.)expiatnbfisszIssuer (iss) must be a string.)headers json_encoder) sort_headers) isinstancedict TypeErrorcopyrFrr utctimetuplestr_encode_payloadr1encode) r3payloadkey algorithmrMrNrO time_claim json_payloads r4rWz PyJWT.encode`sD'4(,  ,,./ QJ'++j18<&,WZ-@-M-M-O&P # Q G Jwu~s$C<= =++ %, yy     %    r6cPtj|d|jdS)z Encode a given payload to the bytes to be signed. This method is intended to be overridden by subclasses that need to encode the payload in a different way, e.g. compress the payload. ),:) separatorsclszutf-8)jsondumpsrW)r3rXrMrNs r4rVzPyJWT._encode_payloads)zz !  &/  r6c  | r6tjdt| jtd|d} n|j dd} |!|| k7rtjdt d|j|} d| i}|jj|||||}|j|}|j|| ||| | ||d <|S) u$Identical to ``jwt.decode`` except for return value which is a dictionary containing the token header (JOSE Header), the token payload (JWT Payload), and token signature (JWT Signature) on the keys "header", "payload", and "signature" respectively. :param jwt: the token to be decoded :type jwt: str or bytes :param key: the key suitable for the allowed algorithm :type key: str or bytes or PyJWK or :py:class:`jwt.algorithms.AllowedPublicKeys` :param algorithms: allowed algorithms, e.g. ``["ES256"]`` .. warning:: Do **not** compute the ``algorithms`` parameter based on the ``alg`` from the token itself, or on any other data that an attacker may be able to influence, as that might expose you to various vulnerabilities (see `RFC 8725 §2.1 `_). Instead, either hard-code a fixed value for ``algorithms``, or configure it in the same place you configure the ``key``. Make sure not to mix symmetric and asymmetric algorithms that interpret the ``key`` in different ways (e.g. HS\* and RS\*). :type algorithms: typing.Sequence[str] or None :param jwt.types.Options options: extended decoding and validation options Refer to :py:class:`jwt.types.Options` for more information. :param audience: optional, the value for ``verify_aud`` check :type audience: str or typing.Iterable[str] or None :param issuer: optional, the value for ``verify_iss`` check :type issuer: str or typing.Container[str] or None :param leeway: a time margin in seconds for the expiration check :type leeway: float or datetime.timedelta :rtype: dict[str, typing.Any] :returns: Decoded JWT with the JOSE Header on the key ``header``, the JWS Payload on the key ``payload``, and the JWS Signature on the key ``signature``. zypassing additional kwargs to decode_complete() is deprecated and will be removed in pyjwt version 3. Unsupported kwargs:  stacklevelTr8zThe `verify` argument to `decode` does nothing in PyJWT 2.0 and newer. The equivalent is setting `verify_signature` to False in the `options` dictionary. This invocation has a mismatch between the kwarg and the option entry.)categoryrg)rY algorithmsr-detached_payload)audienceissuerleewaysubjectrX) warningswarntuplekeysrrFDeprecationWarningr/r1decode_complete_decode_payload_validate_claims)r3jwtrYrir-verifyrjrkrlrnrmkwargsr8merged_options sig_optionsdecodedrXs r4rtzPyJWT.decode_completesr  MM'',V[[]';&<>'   ?# &{{+=tD   &,<"< MMY,  ,,W5  0# ))++ !- , &&w/     % r6c tj|d}t |t s td|S#t$r}td||d}~wwxYw)a Decode the payload from a JWS dictionary (payload, signature, header). This method is intended to be overridden by subclasses that need to decode the payload in a different way, e.g. decompress compressed payloads. rXzInvalid payload string: Nz-Invalid payload string: must be a json object)rbloads ValueErrorrrPrQ)r3r|rXes r4ruzPyJWT._decode_payload"sa E&*jj1C&DG'4(MN N  E 8<=1 D Es7 AAAc | r6tjdt| jtd|j ||||||||| |  } t tttf| dS)uVerify the ``jwt`` token signature and return the token claims. :param jwt: the token to be decoded :type jwt: str or bytes :param key: the key suitable for the allowed algorithm :type key: str or bytes or PyJWK or :py:class:`jwt.algorithms.AllowedPublicKeys` :param algorithms: allowed algorithms, e.g. ``["ES256"]`` If ``key`` is a :class:`PyJWK` object, allowed algorithms will default to the key algorithm. .. warning:: Do **not** compute the ``algorithms`` parameter based on the ``alg`` from the token itself, or on any other data that an attacker may be able to influence, as that might expose you to various vulnerabilities (see `RFC 8725 §2.1 `_). Instead, either hard-code a fixed value for ``algorithms``, or configure it in the same place you configure the ``key``. Make sure not to mix symmetric and asymmetric algorithms that interpret the ``key`` in different ways (e.g. HS\* and RS\*). :type algorithms: typing.Sequence[str] or None :param jwt.types.Options options: extended decoding and validation options Refer to :py:class:`jwt.types.Options` for more information. :param audience: optional, the value for ``verify_aud`` check :type audience: str or typing.Iterable[str] or None :param subject: optional, the value for ``verify_sub`` check :type subject: str or None :param issuer: optional, the value for ``verify_iss`` check :type issuer: str or typing.Container[str] or None :param leeway: a time margin in seconds for the expiration check :type leeway: float or datetime.timedelta :rtype: dict[str, typing.Any] :returns: the JWT claims zppassing additional kwargs to decode() is deprecated and will be removed in pyjwt version 3. Unsupported kwargs: rerf)rxrjrkrnrlrmrX) rorprqrrrrtrrQrUr ) r3rwrYrir-rxrjrkrnrlrmryr|s r4decodez PyJWT.decode2sr  MM'',V[[]';&<>'  &&    -'  DcNGI$677r6ct|tr|j}|!t|ttfs t d|j ||dtjtjj}d|vr|dr|j|||d|vr|dr|j|||d|vr|d r|j||||d r|j|||d r$|j!|||j#d d |dr|j%|||dr|j'|yy)Nz+audience must be a string, iterable or Noner@)tzrJr;rKr:rIr9r=r<rAFstrictr>r?)rPr total_secondsrUrrR_validate_required_claimsrnowr utc timestamp _validate_iat _validate_nbf _validate_exp _validate_iss _validate_audrF _validate_sub _validate_jti)r3rXr-rkrlrnrmrs r4rvzPyJWT._validate_claimssH fi ())+F   8c8_(MIJ J &&w 0BCllhll+557 G  5   wV 4 G  5   wV 4 G  5   wV 4 <   w / <   '++lE*J   <   w 0 <   w ' !r6cJ|D]}|j|t|yN)rFr)r3rXclaimsclaims r4rzPyJWT._validate_required_claimss-  7E{{5!)/66 7r6cd|vryt|dts td| |jd|k7r tdyy)z Checks whether "sub" if in the payload is valid or not. This is an Optional claim :param payload(dict): The payload which needs to be validated :param subject(str): The subject of the token subNzSubject must be a stringzInvalid subject)rPrUrrF)r3rXrns r4rzPyJWT._validate_subsV   '%.#.%&@A A  {{5!W,)*;<<- r6cbd|vryt|jdts tdy)z Checks whether "jti" if in the payload is valid or not This is an Optional claim :param payload(dict): The payload which needs to be validated jtiNzJWT ID must be a string)rPrFrUr)r3rXs r4rzPyJWT._validate_jtis3   '++e,c2!";< <3r6cz t|d}|||zkDr tdy#t$r tddwxYw)NrJz)Issued At claim (iat) must be an integer.z The token is not yet valid (iat))intrrr)r3rXrrmrJs r4rzPyJWT._validate_iatsX  gen%C #, ()KL L  &;  $:cz t|d}|||zkDr tdy#t$r tddwxYw)NrKz*Not Before claim (nbf) must be an integer.z The token is not yet valid (nbf))rrrr)r3rXrrmrKs r4rzPyJWT._validate_nbfsW  Vgen%C #, ()KL L  VJKQU U Vrcz t|d}|||z kr tdy#t$r tddwxYw)NrIz/Expiration Time claim (exp) must be an integer.zSignature has expired)rrrr)r3rXrrmrIs r4rzPyJWT._validate_expsX  gen%C 3< '(?@ @ !  A  rFrc|d|vs|dsytdd|vs|ds td|d|rGt|ts tdtts td|k7r tdyttrgtts tdt dDr tdt|tr|g}t fd|Dr td y) NaudzInvalid audiencezInvalid audience (strict)z&Invalid claim format in token (strict)zAudience doesn't match (strict)zInvalid claim format in tokenc3>K|]}t|t ywr)rPrU).0cs r4 z&PyJWT._validate_aud..-s?!:a%%?sc3&K|]}|v ywrrC)rraudience_claimss r4rz&PyJWT._validate_aud..3s>cs/)>szAudience doesn't match)rrrPrUlistanyall)r3rXrkrrs @r4rzPyJWT._validate_auds   G#75>''9: :  wu~,E2 2!%. h,*+FGGos3*+STT?**+LMM  os +./O/40&'FG G ?? ?&'FG G h $ zH >X> >&'?@ @ ?r6c|yd|vr td|d}t|ts tdt|tr||k7r tdy ||vr tdy#t$r tddwxYw)NrLz%Payload Issuer (iss) must be a stringzInvalid issuerz.Issuer param must be "str" or "Container[str]")rrPrUrrR)r3rXrlrLs r4rzPyJWT._validate_iss6s >   +E2 2en#s#$%LM M fc "f}()9:: f$,-=>>% (D s A%%A;r)r-Options | NonereturnNone)rr#)rr%)r-rrr#)HS256NNT)rXdict[str, Any]rYr(rZ str | NonerMdict[str, Any] | NonerNtype[json.JSONEncoder] | NonerOboolrrU)NN)rXrrMrrNrrbytes) rNNNNNNNr)rw str | bytesrYr)riSequence[str] | Noner-rrx bool | Nonerj bytes | Nonerkstr | Iterable[str] | Nonerlstr | Container[str] | Nonernrrmfloat | timedeltaryr rr)r|rrr)rwrrYz'AllowedPublicKeys | PyJWK | str | bytesrirr-rrxrrjrrkrrnrrlrrmrryr rr)NNNr)rXrr-r#rkzIterable[str] | str | NonerlContainer[str] | str | Nonernrrmrrr)rXrrz Iterable[str]rr)rXrrnrrr)rXrrr)rXrrfloatrmrrr)rXrrkrrrrr)rXrrlrrr)__name__ __module__ __qualname__r5 staticmethodr.r0r/rWrVrtrurrvrrrrrrrrrCr6r4r+r+0s;      +&!()-6:!@ @ $@  @ ' @ 4 @ @  @ J*.6: '4   *&(+/"&")-04.2"$%l l#l) l  ll'l-l,ll"l"#l$ %l\&8:+/"&")-04".2$%M8 M85M8) M8  M8M8'M8-M8M8,M8"M8"#M8$ %M8f04.2"$%((((((- (( , ((  (("(( ((T777  7>B=%=0:= =* = M M M M  M M M M M  MAAA A  A* 0A0A-0A  0A  0Ad%/J r6r+)< __future__rrbosrocalendarrcollections.abcrrrrr r typingr r r rapi_jwsrr exceptionsrrrrrrrrrrrgetenvsys version_infor typing_extensionsrir!api_jwkr"typesr#r$r%r&r'rUrr(__annotations__r)r+_jwt_global_objr1rWrtrrCr6r4rs"" 992222+   -D>267 7"$ 0&77E,12DeSRW2W,X X+01BE3PU1U+VyV,1%e2C,D D+0U1B+CyC]]@'&   !11   r6