replaces python-jose with pyjwt using cryptography as a backend #103
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Grzegorz Redlicki <redlicki.grzegorz@gmail.com>
# Conflicts: # requirements-dev.txt # requirements.txt # setup.py # tests/conftest.py
Co-authored-by: Grzegorz Redlicki <redlicki.grzegorz@gmail.com>
| @@ -52,28 +51,6 @@ def test_proper_jwt( | |||
| decoded_jwt_data = decode_jwt(full_access_auth_header) | |||
| assert decoded_jwt_data == full_access_authz_payload | |||
|
|
|||
| def test_expired_jwt(self) -> None: | |||
There was a problem hiding this comment.
I don't get why you moved these tests below if they remained in the same class 🤷
There was a problem hiding this comment.
It just makes the review unnecessarily harder 😉
Co-authored-by: Grzegorz Redlicki <redlicki.grzegorz@gmail.com>
redlickigrzegorz
approved these changes
Dec 16, 2024
Comment on lines
+37
to
+41
| token_payload = { | ||
| "iss": "test-issuer", | ||
| "aud": "test-audience", | ||
| "kid": "x", | ||
| } |
There was a problem hiding this comment.
In general, the payload does not matter for this test 🤔
Suggested change
| token_payload = { | |
| "iss": "test-issuer", | |
| "aud": "test-audience", | |
| "kid": "x", | |
| } |
Comment on lines
+35
to
+36
| public_key = deepcopy(SAMPLE_PUBLIC_KEY) | ||
| public_key["kid"] = "9494ad75-aaaa-aaaa-aaaa-c1a17da22b35" |
There was a problem hiding this comment.
It would be much simpler to change input data instead of manipulating the test environment:
Suggested change
| public_key = deepcopy(SAMPLE_PUBLIC_KEY) | |
| public_key["kid"] = "9494ad75-aaaa-aaaa-aaaa-c1a17da22b35" | |
| private_key = deepcopy(SAMPLE_PRIVATE_KEY) | |
| private_key["kid"] = kid = "9494ad75-aaaa-aaaa-aaaa-c1a17da22b35" |
| "aud": "test-audience", | ||
| "kid": "x", | ||
| } | ||
| jwt_token = encode_jwt(token_payload, SAMPLE_PRIVATE_KEY) |
There was a problem hiding this comment.
According to the above comments:
Suggested change
| jwt_token = encode_jwt(token_payload, SAMPLE_PRIVATE_KEY) | |
| jwt_token = encode_jwt(data={}, private_key_jwk=private_key) |
Comment on lines
+44
to
+46
| with patch.dict(environ, {"ALLOWED_PUBLIC_KEYS": json.dumps({"keys": [public_key]})}): | ||
| with pytest.raises(Unauthorized): | ||
| decode_jwt(jwt_token) |
There was a problem hiding this comment.
According to the above comments:
Suggested change
| with patch.dict(environ, {"ALLOWED_PUBLIC_KEYS": json.dumps({"keys": [public_key]})}): | |
| with pytest.raises(Unauthorized): | |
| decode_jwt(jwt_token) | |
| with pytest.raises(Unauthorized): | |
| decode_jwt(jwt_token) |
| with patch.dict(environ, {"ALLOWED_PUBLIC_KEYS": json.dumps({"keys": [public_key]})}): | ||
| with pytest.raises(Unauthorized): | ||
| decode_jwt(jwt_token) | ||
| assert "The key with id=" in caplog.text |
There was a problem hiding this comment.
We should rather check the whole log instead of relying on its small parts:
Suggested change
| assert "The key with id=" in caplog.text | |
| assert caplog.record_tuples == [ | |
| ( | |
| "lbz.jwt_utils", | |
| logging.WARNING, | |
| f"The key with id={kid} was not found in the environment variable.", | |
| ) | |
| ] |
| @@ -98,8 +98,7 @@ bandit: | |||
| .PHONY: pip-audit | |||
| pip-audit: | |||
| pip-audit --version | |||
| # TODO: Fix the issue with the vulnerable ecdsa and jose libraries | |||
| pip-audit -r requirements.txt --ignore-vuln GHSA-wj6h-64fc-37mp --ignore-vuln GHSA-cjwg-qfpm-7377 --ignore-vuln GHSA-6c5p-j8vq-pqhj | |||
| pip-audit -r requirements.txt | |||
There was a problem hiding this comment.
Let's use OSV as a vulnerability service as it collects vulnerabilities from multiple sources:
Suggested change
| pip-audit -r requirements.txt | |
| pip-audit --vulnerability-service osv -r requirements.txt |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.