home-assistant: backport pyjwt 2.13.0 support

This commit is contained in:
Martin Weinelt 2026-06-24 18:14:24 +02:00
commit adc70fc450
No known key found for this signature in database
GPG key ID: 87C1E9888F856759
2 changed files with 51 additions and 0 deletions

View file

@ -324,6 +324,9 @@ python3Packages.buildPythonApplication rec {
(replaceVars ./patches/ffmpeg-path.patch {
ffmpeg = "${lib.getExe ffmpeg-headless}";
})
# https://github.com/home-assistant/core/pull/172893
./patches/pyjwt-2.13-compat.patch
];
postPatch = ''

View file

@ -0,0 +1,48 @@
diff --git a/homeassistant/auth/__init__.py b/homeassistant/auth/__init__.py
index d4b86febd1d..0edd0edd69b 100644
--- a/homeassistant/auth/__init__.py
+++ b/homeassistant/auth/__init__.py
@@ -656,6 +656,8 @@ class AuthManager:
try:
unverif_claims = jwt_wrapper.unverified_hs256_token_decode(token)
except jwt.InvalidTokenError:
+ # PyJWT 2.13 raises InvalidKeyError (not an InvalidTokenError) when
+ # the refresh token's key has been removed and is therefore empty.
return None
refresh_token = self.async_get_refresh_token(
@@ -673,7 +675,7 @@ class AuthManager:
jwt_wrapper.verify_and_decode(
token, jwt_key, leeway=10, issuer=issuer, algorithms=["HS256"]
)
- except jwt.InvalidTokenError:
+ except jwt.InvalidTokenError, jwt.InvalidKeyError:
return None
if refresh_token is None or not refresh_token.user.is_active:
diff --git a/homeassistant/components/html5/notify.py b/homeassistant/components/html5/notify.py
index 24b395748d8..3424749e86d 100644
--- a/homeassistant/components/html5/notify.py
+++ b/homeassistant/components/html5/notify.py
@@ -327,7 +327,7 @@ class HTML5PushCallbackView(HomeAssistantView):
if target_check.get(ATTR_TARGET) in self.registrations:
possible_target = self.registrations[target_check[ATTR_TARGET]]
key = possible_target["subscription"]["keys"]["auth"]
- with suppress(jwt.exceptions.DecodeError), warnings.catch_warnings():
+ with suppress(jwt.exceptions.DecodeError, jwt.exceptions.InvalidKeyError), warnings.catch_warnings():
warnings.simplefilter("ignore", InsecureKeyLengthWarning)
return jwt.decode(token, key, algorithms=["ES256", "HS256"])
diff --git a/tests/components/elmax/conftest.py b/tests/components/elmax/conftest.py
index 02f01036996..c9c3f13e9e3 100644
--- a/tests/components/elmax/conftest.py
+++ b/tests/components/elmax/conftest.py
@@ -82,7 +82,7 @@ def httpx_mock_direct_fixture(base_uri: str) -> Generator[respx.MockRouter]:
expiration = datetime.now() + timedelta(hours=1)
decoded_jwt["payload"]["exp"] = int(expiration.timestamp())
jws_string = jwt.encode(
- payload=decoded_jwt["payload"], algorithm="HS256", key=""
+ payload=decoded_jwt["payload"], algorithm="HS256", key="test"
)
login_json["token"] = f"JWT {jws_string}"
login_route.return_value = Response(200, json=login_json)