From ba3faf0f185bc13bebde228f117538971e82a72c Mon Sep 17 00:00:00 2001
From: Jason Little <j.little@famedly.com>
Date: Tue, 28 Apr 2026 12:49:46 -0500
Subject: [PATCH 1/2] deps: remove pin on jwcrypto

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index a37df2c..8c87e16 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -24,7 +24,7 @@ classifiers = [
   "Programming Language :: Python :: Implementation :: PyPy",
 ]
 dependencies = [
-  "jwcrypto<=1.5.6",
+  "jwcrypto",
   "twisted",
 ]
 version = "0.13.1"

From 6230a76744db2ae138a954064a66e3c8ef167d11 Mon Sep 17 00:00:00 2001
From: Jason Little <j.little@famedly.com>
Date: Tue, 28 Apr 2026 13:08:12 -0500
Subject: [PATCH 2/2] fix: Ensure tests use a token 64 bytes long as 512 bits
 are needed for HS512

---
 tests/__init__.py   | 11 +++++++----
 tests/test_epa.py   |  6 +++---
 tests/test_jwt.py   | 10 ++++++----
 tests/test_oauth.py |  4 +++-
 4 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/tests/__init__.py b/tests/__init__.py
index 0fbf1b1..a6f69a6 100644
--- a/tests/__init__.py
+++ b/tests/__init__.py
@@ -33,6 +33,9 @@
 admins = {}
 logger = logging.getLogger(__name__)
 ENC_JWK = jwk.JWK.generate(kty="RSA", size=2048)
+# secrets for token generation need to be 64 chars long, as it needs to have 512 bits
+# since HS512 is used by default. The word 'jwcrypto' is 8 letters long. Perfect.
+_DEFAULT_TOKEN_SECRET = "jwcrypto" * 8
 
 
 class ModuleApiTestCase(synapsetest.HomeserverTestCase):
@@ -110,7 +113,7 @@ def default_config(self) -> dict[str, Any]:
                 {
                     "module": "synapse_token_authenticator.TokenAuthenticator",
                     "config": {
-                        "jwt": {"secret": "foxies"},
+                        "jwt": {"secret": _DEFAULT_TOKEN_SECRET},
                         "oidc": {
                             "issuer": "https://idp.example.test",
                             "client_id": "1111@project",
@@ -146,7 +149,7 @@ def default_config(self) -> dict[str, Any]:
         return conf
 
 
-def get_jwk(secret="foxies", id="123456") -> jwk.JWK:
+def get_jwk(secret=_DEFAULT_TOKEN_SECRET, id="123456") -> jwk.JWK:
     return jwk.JWK(
         k=base64.urlsafe_b64encode(secret.encode("utf-8")).decode("utf-8"),
         kty="oct",
@@ -161,7 +164,7 @@ def get_enc_jwk() -> jwk.JWK:
 def get_jwt_token(
     username,
     exp_in=None,
-    secret="foxies",
+    secret=_DEFAULT_TOKEN_SECRET,
     algorithm="HS512",
     admin=None,
     claims=None,
@@ -192,7 +195,7 @@ def get_jwt_token(
 def get_jwe_token(
     username,
     exp_in=None,
-    secret="foxies",
+    secret=_DEFAULT_TOKEN_SECRET,
     algorithm="HS512",
     admin=None,
     claims=None,
diff --git a/tests/test_epa.py b/tests/test_epa.py
index 9b78531..d607f86 100644
--- a/tests/test_epa.py
+++ b/tests/test_epa.py
@@ -52,9 +52,9 @@ async def test_invalid_token(self):
         self.assertEqual(result, None)
 
     async def test_token_wrong_secret(self):
-        token = get_jwe_token(
-            "alice", secret="wrong secret", claims=get_default_claims()
-        )
+        # The secret needs to be 64 bytes, so pad it and bulk copy it. 16 * 4 = 64
+        secret = "wrong secret1234" * 4
+        token = get_jwe_token("alice", secret=secret, claims=get_default_claims())
         result = await self.hs.mockmod.check_epa(
             "alice", "com.famedly.login.token.epa", {"token": token}
         )
diff --git a/tests/test_jwt.py b/tests/test_jwt.py
index 031c0e6..0cab91f 100644
--- a/tests/test_jwt.py
+++ b/tests/test_jwt.py
@@ -17,7 +17,7 @@
 
 import tests.unittest as synapsetest
 
-from . import ModuleApiTestCase, get_jwt_token
+from . import _DEFAULT_TOKEN_SECRET, ModuleApiTestCase, get_jwt_token
 
 
 class JWTTests(ModuleApiTestCase):
@@ -41,7 +41,9 @@ async def test_invalid_token(self):
         self.assertEqual(result, None)
 
     async def test_token_wrong_secret(self):
-        token = get_jwt_token("alice", secret="wrong secret")
+        # The secret needs to be 64 bytes, so pad it and bulk copy it. 16 * 4 = 64
+        secret = "wrong secret1234" * 4
+        token = get_jwt_token("alice", secret=secret)
         result = await self.hs.mockmod.check_jwt_auth(
             "alice", "com.famedly.login.token", {"token": token}
         )
@@ -75,7 +77,7 @@ async def test_token_no_expiry(self):
                     "module": "synapse_token_authenticator.TokenAuthenticator",
                     "config": {
                         "jwt": {
-                            "secret": "foxies",
+                            "secret": _DEFAULT_TOKEN_SECRET,
                             "require_expiry": False,
                         }
                     },
@@ -134,7 +136,7 @@ async def test_chatbox_login_invalid_format(self, *args):
                     "module": "synapse_token_authenticator.TokenAuthenticator",
                     "config": {
                         "jwt": {
-                            "secret": "foxies",
+                            "secret": _DEFAULT_TOKEN_SECRET,
                             "allow_registration": True,
                         },
                     },
diff --git a/tests/test_oauth.py b/tests/test_oauth.py
index 6c7eedc..da239cc 100644
--- a/tests/test_oauth.py
+++ b/tests/test_oauth.py
@@ -57,7 +57,9 @@ async def test_invalid_token(self):
         self.assertEqual(result, None)
 
     async def test_token_wrong_secret(self):
-        token = get_jwt_token("aliceid", secret="wrong secret", claims=default_claims)
+        # The secret needs to be 64 bytes, so pad it and bulk copy it. 16 * 4 = 64
+        secret = "wrong secret1234" * 4
+        token = get_jwt_token("aliceid", secret=secret, claims=default_claims)
         result = await self.hs.mockmod.check_oauth(
             "alice", "com.famedly.login.token.oauth", {"token": token}
         )