Breaking Security Fix in Upstream Dependency (cryptography)

[jrschiestle]

Hello,

A vulnerability scan flagged the upstream dependency cryptography (pycognito -> pyjwt[crypto] -> cryptography) that is fixed for versions > 42.0.4. See: GHSA-6vqw-3v5j-54x4

This update to cryptography causing breaking changes where:

from pycognito import Cognito

idToken = '<idToken>'
accessToken = '<accessToken>'

userPoolId='<userPoolId>'
clientId = '<clientId>'
region='<region>'

u = Cognito(
    user_pool_id=userPoolId,
    client_id=clientId,
    user_pool_region=region,
    id_token=idToken,
    access_token=accessToken
)
u.verify_tokens()

Results in:

>> TypeError: argument 'data': from_buffer() cannot return the address of a unicode object

with the error occurring upstream in jwt

If you attempt to pass the tokens in as bytes you get:

>> TypeError: a bytes-like object is required, not 'str'

Where the error occurs within pycognito.

I have created a PR to fix this breaking change by handling the cases at these two points of failure: #222

[nk9]

Seems like an important fix to get into main. @pvizeli

[tomjridge]

I just hit this issue too.