Merge pull request #278 from open-contracting/pyjwt

fix: Switch to pyjwt from python-jose #277

.github/workflows/automerge.yml

@@ -8,7 +8,7 @@ permissions:
   contents: write  # to merge the PR
 jobs:
   dependabot:
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     runs-on: ubuntu-latest
     steps:
       - id: dependabot-metadata
@@ -24,7 +24,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh pr merge --auto --squash ${{ github.event.pull_request.html_url }}
   precommit:
-    if: ${{ github.actor == 'pre-commit-ci[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'pre-commit-ci[bot]' }}
     runs-on: ubuntu-latest
     steps:
       - env:

app/auth.py

@@ -1,10 +1,10 @@
 from typing import Any
 
+import jwt
 import requests
 from fastapi import HTTPException, Request, status
 from fastapi.security import HTTPBearer
-from jose import JWTError, jwk, jwt
-from jose.utils import base64url_decode
+from jwt.utils import base64url_decode
 from pydantic import BaseModel
 
 from app.settings import app_settings
@@ -55,10 +55,14 @@ def verify_jwk_token(self, jwt_credentials: JWTAuthorizationCredentials) -> bool
         except KeyError:
             raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="JWK public key not found")
 
-        key = jwk.construct(public_key)
-        decoded_signature = base64url_decode(jwt_credentials.signature.encode())
+        msg = jwt_credentials.message.encode()
+        sig = base64url_decode(jwt_credentials.signature.encode())
 
-        return key.verify(jwt_credentials.message.encode(), decoded_signature)
+        obj = jwt.PyJWK(public_key)
+        alg_obj = obj.Algorithm
+        prepared_key = alg_obj.prepare_key(obj.key)
+
+        return alg_obj.verify(msg, prepared_key, sig)
 
     async def __call__(self, request: Request) -> JWTAuthorizationCredentials | None:
         """
@@ -85,11 +89,11 @@ async def __call__(self, request: Request) -> JWTAuthorizationCredentials | None
                 jwt_credentials = JWTAuthorizationCredentials(
                     jwt_token=jwt_token,
                     header=jwt.get_unverified_header(jwt_token),
-                    claims=jwt.get_unverified_claims(jwt_token),
+                    claims=jwt.decode(jwt_token, options={"verify_signature": False}),
                     signature=signature,
                     message=message,
                 )
-            except JWTError:
+            except jwt.InvalidTokenError:
                 raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="JWK invalid")
 
             if not self.verify_jwk_token(jwt_credentials):

requirements.in

@@ -8,7 +8,7 @@ mypy-boto3-ses
 pandas
 pydantic
 pydantic-settings
-python-jose
+pyjwt[crypto]
 python-multipart
 reportlab
 requests

requirements.txt

@@ -27,6 +27,8 @@ certifi==2023.7.22
     #   httpx
     #   requests
     #   sentry-sdk
+cffi==1.16.0
+    # via cryptography
 charset-normalizer==3.1.0
     # via requests
 click==8.1.3
@@ -36,8 +38,8 @@ click==8.1.3
     #   uvicorn
 colorama==0.4.6
     # via typer
-ecdsa==0.18.0
-    # via python-jose
+cryptography==42.0.5
+    # via pyjwt
 fastapi==0.109.2
     # via
     #   -r requirements.in
@@ -83,10 +85,8 @@ pillow==10.2.0
     # via reportlab
 psycopg2==2.9.6
     # via sqlalchemy
-pyasn1==0.5.0
-    # via
-    #   python-jose
-    #   rsa
+pycparser==2.21
+    # via cffi
 pydantic==2.5.2
     # via
     #   -r requirements.in
@@ -99,6 +99,8 @@ pydantic-settings==2.1.0
     # via -r requirements.in
 pygments==2.15.1
     # via rich
+pyjwt[crypto]==2.8.0
+    # via -r requirements.in
 pyseeyou==1.0.2
     # via transifex-python
 python-dateutil==2.8.2
@@ -107,8 +109,6 @@ python-dateutil==2.8.2
     #   pandas
 python-dotenv==1.0.0
     # via pydantic-settings
-python-jose==3.3.0
-    # via -r requirements.in
 python-multipart==0.0.7
     # via -r requirements.in
 pytz==2023.3
@@ -125,8 +125,6 @@ requests==2.31.0
     #   transifex-python
 rich==13.4.2
     # via typer
-rsa==4.9
-    # via python-jose
 s3transfer==0.6.1
     # via boto3
 sentry-sdk[fastapi]==1.23.1
@@ -136,7 +134,6 @@ shellingham==1.5.0.post1
 six==1.16.0
     # via
     #   asttokens
-    #   ecdsa
     #   python-dateutil
 sniffio==1.3.0
     # via

requirements_dev.txt

@@ -44,8 +44,10 @@ certifi==2023.7.22
     #   httpx
     #   requests
     #   sentry-sdk
-cffi==1.15.1
-    # via cryptography
+cffi==1.16.0
+    # via
+    #   -r requirements.txt
+    #   cryptography
 cfgv==3.3.1
     # via pre-commit
 charset-normalizer==3.1.0
@@ -70,17 +72,18 @@ coverage[toml]==6.5.0
     #   pytest-cov
 coveralls==3.3.1
     # via -r requirements_dev.in
-cryptography==42.0.4
+cryptography==42.0.5
     # via
+    #   -r requirements.txt
     #   moto
+    #   pyjwt
     #   python-jose
 distlib==0.3.6
     # via virtualenv
 docopt==0.6.2
     # via coveralls
 ecdsa==0.18.0
     # via
-    #   -r requirements.txt
     #   moto
     #   python-jose
 fastapi==0.109.2
@@ -194,13 +197,14 @@ psycopg2==2.9.6
     #   sqlalchemy
 pyasn1==0.5.0
     # via
-    #   -r requirements.txt
     #   python-jose
     #   rsa
 pycodestyle==2.10.0
     # via flake8
 pycparser==2.21
-    # via cffi
+    # via
+    #   -r requirements.txt
+    #   cffi
 pydantic==2.5.2
     # via
     #   -r requirements.txt
@@ -219,6 +223,8 @@ pygments==2.15.1
     # via
     #   -r requirements.txt
     #   rich
+pyjwt[crypto]==2.8.0
+    # via -r requirements.txt
 pyproject-hooks==1.0.0
     # via build
 pyseeyou==1.0.2
@@ -245,9 +251,7 @@ python-dotenv==1.0.0
     #   -r requirements.txt
     #   pydantic-settings
 python-jose[cryptography]==3.3.0
-    # via
-    #   -r requirements.txt
-    #   moto
+    # via moto
 python-multipart==0.0.7
     # via -r requirements.txt
 pytz==2023.3
@@ -283,9 +287,7 @@ rich==13.4.2
     #   -r requirements.txt
     #   typer
 rsa==4.9
-    # via
-    #   -r requirements.txt
-    #   python-jose
+    # via python-jose
 s3transfer==0.6.1
     # via
     #   -r requirements.txt