From a97096c84783348085eca6cd73ed3d09fa1dd7af Mon Sep 17 00:00:00 2001 From: James McKinney <26463+jpmckinney@users.noreply.github.com> Date: Wed, 27 Mar 2024 11:42:00 -0400 Subject: [PATCH] fix: Switch to pyjwt from python-jose #277 --- app/auth.py | 12 ++++++------ requirements.in | 2 +- requirements.txt | 19 ++++++++----------- requirements_dev.txt | 26 ++++++++++++++------------ 4 files changed, 29 insertions(+), 30 deletions(-) diff --git a/app/auth.py b/app/auth.py index c6706268..b49ab7da 100644 --- a/app/auth.py +++ b/app/auth.py @@ -1,10 +1,10 @@ from typing import Any +import jwt import requests from fastapi import HTTPException, Request, status from fastapi.security import HTTPBearer -from jose import JWTError, jwk, jwt -from jose.utils import base64url_decode +from jwt.utils import base64url_decode from pydantic import BaseModel from app.settings import app_settings @@ -55,10 +55,10 @@ def verify_jwk_token(self, jwt_credentials: JWTAuthorizationCredentials) -> bool except KeyError: raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="JWK public key not found") - key = jwk.construct(public_key) + key = jwt.PyJWK(public_key) decoded_signature = base64url_decode(jwt_credentials.signature.encode()) - return key.verify(jwt_credentials.message.encode(), decoded_signature) + return key.verify(jwt_credentials.message.encode(), decoded_signature) # TODO async def __call__(self, request: Request) -> JWTAuthorizationCredentials | None: """ @@ -85,11 +85,11 @@ async def __call__(self, request: Request) -> JWTAuthorizationCredentials | None jwt_credentials = JWTAuthorizationCredentials( jwt_token=jwt_token, header=jwt.get_unverified_header(jwt_token), - claims=jwt.get_unverified_claims(jwt_token), + claims=jwt.decode(jwt_token, options={"verify_signature": False}), signature=signature, message=message, ) - except JWTError: + except jwt.InvalidTokenError: raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="JWK invalid") if not self.verify_jwk_token(jwt_credentials): diff --git a/requirements.in b/requirements.in index 5075b297..f5c3484f 100644 --- a/requirements.in +++ b/requirements.in @@ -8,7 +8,7 @@ mypy-boto3-ses pandas pydantic pydantic-settings -python-jose +pyjwt[crypto] python-multipart reportlab requests diff --git a/requirements.txt b/requirements.txt index 6c733dbd..902bf8c2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -27,6 +27,8 @@ certifi==2023.7.22 # httpx # requests # sentry-sdk +cffi==1.16.0 + # via cryptography charset-normalizer==3.1.0 # via requests click==8.1.3 @@ -36,8 +38,8 @@ click==8.1.3 # uvicorn colorama==0.4.6 # via typer -ecdsa==0.18.0 - # via python-jose +cryptography==42.0.5 + # via pyjwt fastapi==0.109.2 # via # -r requirements.in @@ -83,10 +85,8 @@ pillow==10.2.0 # via reportlab psycopg2==2.9.6 # via sqlalchemy -pyasn1==0.5.0 - # via - # python-jose - # rsa +pycparser==2.21 + # via cffi pydantic==2.5.2 # via # -r requirements.in @@ -99,6 +99,8 @@ pydantic-settings==2.1.0 # via -r requirements.in pygments==2.15.1 # via rich +pyjwt[crypto]==2.8.0 + # via -r requirements.in pyseeyou==1.0.2 # via transifex-python python-dateutil==2.8.2 @@ -107,8 +109,6 @@ python-dateutil==2.8.2 # pandas python-dotenv==1.0.0 # via pydantic-settings -python-jose==3.3.0 - # via -r requirements.in python-multipart==0.0.7 # via -r requirements.in pytz==2023.3 @@ -125,8 +125,6 @@ requests==2.31.0 # transifex-python rich==13.4.2 # via typer -rsa==4.9 - # via python-jose s3transfer==0.6.1 # via boto3 sentry-sdk[fastapi]==1.23.1 @@ -136,7 +134,6 @@ shellingham==1.5.0.post1 six==1.16.0 # via # asttokens - # ecdsa # python-dateutil sniffio==1.3.0 # via diff --git a/requirements_dev.txt b/requirements_dev.txt index 25dc7979..6d2b8f52 100644 --- a/requirements_dev.txt +++ b/requirements_dev.txt @@ -44,8 +44,10 @@ certifi==2023.7.22 # httpx # requests # sentry-sdk -cffi==1.15.1 - # via cryptography +cffi==1.16.0 + # via + # -r requirements.txt + # cryptography cfgv==3.3.1 # via pre-commit charset-normalizer==3.1.0 @@ -70,9 +72,11 @@ coverage[toml]==6.5.0 # pytest-cov coveralls==3.3.1 # via -r requirements_dev.in -cryptography==42.0.4 +cryptography==42.0.5 # via + # -r requirements.txt # moto + # pyjwt # python-jose distlib==0.3.6 # via virtualenv @@ -80,7 +84,6 @@ docopt==0.6.2 # via coveralls ecdsa==0.18.0 # via - # -r requirements.txt # moto # python-jose fastapi==0.109.2 @@ -194,13 +197,14 @@ psycopg2==2.9.6 # sqlalchemy pyasn1==0.5.0 # via - # -r requirements.txt # python-jose # rsa pycodestyle==2.10.0 # via flake8 pycparser==2.21 - # via cffi + # via + # -r requirements.txt + # cffi pydantic==2.5.2 # via # -r requirements.txt @@ -219,6 +223,8 @@ pygments==2.15.1 # via # -r requirements.txt # rich +pyjwt[crypto]==2.8.0 + # via -r requirements.txt pyproject-hooks==1.0.0 # via build pyseeyou==1.0.2 @@ -245,9 +251,7 @@ python-dotenv==1.0.0 # -r requirements.txt # pydantic-settings python-jose[cryptography]==3.3.0 - # via - # -r requirements.txt - # moto + # via moto python-multipart==0.0.7 # via -r requirements.txt pytz==2023.3 @@ -283,9 +287,7 @@ rich==13.4.2 # -r requirements.txt # typer rsa==4.9 - # via - # -r requirements.txt - # python-jose + # via python-jose s3transfer==0.6.1 # via # -r requirements.txt