From 64f0859f21dbb979b548cb52e29a8ee1309ab4e7 Mon Sep 17 00:00:00 2001
From: Daniel Hahler <git@thequod.de>
Date: Thu, 22 Jun 2017 20:52:19 +0200
Subject: [PATCH] Optimize jwt_decode_handler

1. There is no need to decode the payload without verification first, in
   case `api_settings.JWT_PUBLIC_KEY` is used.
2. It also skips decoding in case
   `api_settings.JWT_GET_USER_SECRET_KEY` is not used.
   This might be a problem in case somebody is monkey-patching
   `jwt_get_secret_key`, but that should not be considered stable/public
   API, should it?
---
 rest_framework_jwt/utils.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/rest_framework_jwt/utils.py b/rest_framework_jwt/utils.py
index c72197bc..56e6a460 100644
--- a/rest_framework_jwt/utils.py
+++ b/rest_framework_jwt/utils.py
@@ -97,15 +97,21 @@ def jwt_encode_handler(payload):
 
 
 def jwt_decode_handler(token):
+    key = api_settings.JWT_PUBLIC_KEY
+    if not key:
+        if api_settings.JWT_GET_USER_SECRET_KEY:
+            # get user from token, BEFORE verification, to get user secret key
+            unverified_payload = jwt.decode(token, None, False)
+            key = jwt_get_secret_key(unverified_payload)
+        else:
+            key = api_settings.JWT_SECRET_KEY
+
     options = {
         'verify_exp': api_settings.JWT_VERIFY_EXPIRATION,
     }
-    # get user from token, BEFORE verification, to get user secret key
-    unverified_payload = jwt.decode(token, None, False)
-    secret_key = jwt_get_secret_key(unverified_payload)
     return jwt.decode(
         token,
-        api_settings.JWT_PUBLIC_KEY or secret_key,
+        key,
         api_settings.JWT_VERIFY,
         options=options,
         leeway=api_settings.JWT_LEEWAY,