itsdangerous icon indicating copy to clipboard operation
itsdangerous copied to clipboard
verified publisher icon pallets

`URLSafeSerializer.dumps` may return `bytes`

Open stgn opened this issue 3 months ago • 2 comments 

>>> import msgpack
>>> from itsdangerous import URLSafeSerializer
>>> s = URLSafeSerializer("secret")
>>> s.dumps({"id": 123})
'eyJpZCI6MTIzfQ.UIuiA6AeHCMVakMgReamCo8eHes'
>>> s = URLSafeSerializer("secret", serializer=msgpack) 
>>> s.dumps({"id": 123})
b'gaJpZHs.5dxbKqWJ035xXL4QPY7qC6d2WS4'

I'm assuming this is unintentional.

Additionally, typing information states that the return type of URLSafeSerializer.dumps is str, since URLSafeSerializer is a subclass of Serializer[str]. Evidently, this is false.

Environment:

  • Python version: 3.13
  • ItsDangerous version: 2.2.0

stgn avatar Sep 17 '25 21:09 stgn

It returns whatever the serializer returns. You can write a wrapper if you want msgpack to return str instead. Happy to review a PR if the types are not expressed properly.

davidism avatar Sep 17 '25 23:09 davidism

I just ran into this issue by opting some existing code into type checking. I don't think I can wrap a serializer like cbor2/msgpack to return str since they're not valid as strings until URLSafeSerializerMixin encodes to base64.

RazerM avatar Oct 15 '25 07:10 RazerM