From f0231c1f2971e71832c9e6c34c131b2a1c319299 Mon Sep 17 00:00:00 2001
From: Paulus Schoutsen <paulus@paulusschoutsen.nl>
Date: Tue, 13 Feb 2018 14:23:34 -0800
Subject: [PATCH] Specify algorithms for webpush jwt verification (#12378)

---
 homeassistant/components/notify/html5.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/homeassistant/components/notify/html5.py b/homeassistant/components/notify/html5.py
index 5d41004ba1d..45439dbfbfe 100644
--- a/homeassistant/components/notify/html5.py
+++ b/homeassistant/components/notify/html5.py
@@ -255,12 +255,12 @@ class HTML5PushCallbackView(HomeAssistantView):
         # 2a. If decode is successful, return the payload.
         # 2b. If decode is unsuccessful, return a 401.
 
-        target_check = jwt.decode(token, options={'verify_signature': False})
+        target_check = jwt.decode(token, verify=False)
         if target_check[ATTR_TARGET] in self.registrations:
             possible_target = self.registrations[target_check[ATTR_TARGET]]
             key = possible_target[ATTR_SUBSCRIPTION][ATTR_KEYS][ATTR_AUTH]
             try:
-                return jwt.decode(token, key)
+                return jwt.decode(token, key, algorithms=["ES256", "HS256"])
             except jwt.exceptions.DecodeError:
                 pass