From 3a0a615c1dd4006e51ffcaceb729b7d4a545053e Mon Sep 17 00:00:00 2001 From: Santiago Regusci Date: Wed, 1 Jul 2026 14:07:21 -0300 Subject: [PATCH] test: use a >=32-byte secret in JWTCookieHelper tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pyjwt 2.13.0 emits InsecureKeyLengthWarning when jwt.encode() uses an HMAC key shorter than 32 bytes (HS256, RFC 7518 3.2). Our tests use 'test_secret' (11 bytes) and pytest runs with filterwarnings=error, so the warning fails the suite — blocking the pyjwt 2.13.0 security bump (#7376). Use a >=32-byte test secret; version-independent (works with the current 2.10.1 too). Production is unaffected — the warning is not an error there. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../lms/extensions/feature_flags/_helpers_test.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tests/unit/lms/extensions/feature_flags/_helpers_test.py b/tests/unit/lms/extensions/feature_flags/_helpers_test.py index e4e3bed342..25c9b4b42f 100644 --- a/tests/unit/lms/extensions/feature_flags/_helpers_test.py +++ b/tests/unit/lms/extensions/feature_flags/_helpers_test.py @@ -107,12 +107,18 @@ def test_set_encodes_the_payload_in_the_cookie(self, pyramid_request): helper.set(response, original_payload) cookie = response.headers["Set-Cookie"].split(";")[0].split("=")[1] - decoded_payload = jwt.decode(cookie, "test_secret", algorithms=["HS256"]) + decoded_payload = jwt.decode( + cookie, "test_secret_at_least_32_bytes_for_hs256", algorithms=["HS256"] + ) assert decoded_payload == original_payload def test_get_returns_the_decoded_payload(self, pyramid_request): original_payload = {"test_key": "test_value"} - encoded_payload = jwt.encode(original_payload, "test_secret", algorithm="HS256") + encoded_payload = jwt.encode( + original_payload, + "test_secret_at_least_32_bytes_for_hs256", + algorithm="HS256", + ) pyramid_request.cookies["test_cookie_name"] = encoded_payload helper = JWTCookieHelper("test_cookie_name", pyramid_request) @@ -143,5 +149,7 @@ def test_that_set_and_get_work_together(self, pyramid_request): @pytest.fixture(autouse=True) def pyramid_config(self, pyramid_config): - pyramid_config.registry.settings["feature_flags_cookie_secret"] = "test_secret" # noqa: S105 + pyramid_config.registry.settings["feature_flags_cookie_secret"] = ( + "test_secret_at_least_32_bytes_for_hs256" # noqa: S105 + ) return pyramid_config