test: use a >=32-byte secret in JWTCookieHelper tests (unblocks pyjwt 2.13.0)#7394
Open
santicomp2014 wants to merge 1 commit into
Open
test: use a >=32-byte secret in JWTCookieHelper tests (unblocks pyjwt 2.13.0)#7394santicomp2014 wants to merge 1 commit into
santicomp2014 wants to merge 1 commit into
Conversation
pyjwt 2.13.0 emits InsecureKeyLengthWarning when jwt.encode() uses an HMAC key shorter than 32 bytes (HS256, RFC 7518 3.2). Our tests use 'test_secret' (11 bytes) and pytest runs with filterwarnings=error, so the warning fails the suite — blocking the pyjwt 2.13.0 security bump (#7376). Use a >=32-byte test secret; version-independent (works with the current 2.10.1 too). Production is unaffected — the warning is not an error there. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
70140bc to
3a0a615
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Unblocks the pyjwt 2.13.0 security bump (#7376).
pyjwt 2.13.0 adds
InsecureKeyLengthWarning—jwt.encode()with an HMAC key < 32 bytes (HS256) now warns (RFC 7518 §3.2). OurJWTCookieHelpertests use"test_secret"(11 bytes) and pytest runsfilterwarnings=error, so the warning fails the suite → #7376 (and the same across repos) shows redTests/Functests.This swaps the 3 matching
"test_secret"literals for a ≥32-byte value. Version-independent — passes with the current pyjwt 2.10.1, and clears the warning under 2.13.0. Verified in isolation: 11-byte key raises the warning, 39-byte key roundtrips clean under-W error.Production is unaffected — the warning is never an error there; and the real
feature_flags_cookie_secretdeployment setting should already be a proper-length secret.🤖 Generated with Claude Code