Skip to content

test: use >=32-byte HMAC signing keys in JWTService tests (unblocks pyjwt 2.13.0)#10151

Open
santicomp2014 wants to merge 1 commit into
mainfrom
fix/jwt-test-signing-key-length
Open

test: use >=32-byte HMAC signing keys in JWTService tests (unblocks pyjwt 2.13.0)#10151
santicomp2014 wants to merge 1 commit into
mainfrom
fix/jwt-test-signing-key-length

Conversation

@santicomp2014

Copy link
Copy Markdown
Contributor

Unblocks the pyjwt 2.13.0 security bump (#10132).

pyjwt 2.13.0 adds InsecureKeyLengthWarning for HS256 HMAC keys < 32 bytes (RFC 7518 §3.2). JWTService tests use "test_jwt_signing_key" (20B) and "invalid_key" (11B); pytest runs filterwarnings=error, so the warning fails Tests and blocks #10132.

Lengthens both signing keys to ≥32 bytes. The invalid-key test keeps using a different key, so it still exercises the signature-mismatch path. Version-independent (passes with the current pyjwt 2.10.1). Production unaffected — the warning is never an error there.

Same root cause + fix as lms #7394.

🤖 Generated with Claude Code

pyjwt 2.13.0 emits InsecureKeyLengthWarning for HS256 HMAC keys under 32 bytes
(RFC 7518 3.2). The JWTService tests use 'test_jwt_signing_key' (20B) and
'invalid_key' (11B); pytest runs filterwarnings=error, so the warning fails the
suite and blocks the pyjwt 2.13.0 security bump (#10132). Lengthen both to
>=32 bytes (the invalid-key test still uses a *different* key, so it still
exercises the signature-mismatch path). Version-independent; production unaffected.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant