From 68ff0f863d97e830c9adc12284f35a9c4ec9b65b Mon Sep 17 00:00:00 2001
From: Christoph Ladurner <christoph.ladurner@tugraz.at>
Date: Thu, 28 Nov 2024 23:17:35 +0100
Subject: [PATCH] fix: jwt lib changed

* pyjwt 2.10.0 changed the api to decode. verify-sub is now default.
  this change reinstates the old behavior
---
 invenio_accounts/utils.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/invenio_accounts/utils.py b/invenio_accounts/utils.py
index 4711e2a4..077537ed 100644
--- a/invenio_accounts/utils.py
+++ b/invenio_accounts/utils.py
@@ -2,6 +2,7 @@
 #
 # This file is part of Invenio.
 # Copyright (C) 2017-2024 CERN.
+# Copyright (C) 2024 Graz University of Technology.
 #
 # Invenio is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.
@@ -105,6 +106,13 @@ def jwt_decode_token(token):
         return decode(
             token,
             current_app.config["ACCOUNTS_JWT_SECRET_KEY"],
+            options={
+                # Based on the JWT spec (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2)
+                # the "sub" claim has to be a string. However, we are not enforcing this
+                # and are assuming that the "sub" claim is an object/dictionary.
+                # PyJWT v2.10.0 started enforcing this and we are disabling this check.
+                "verify_sub": False,
+            },
             algorithms=[current_app.config["ACCOUNTS_JWT_ALOGORITHM"]],
         )
     except DecodeError as exc: