Migrate from python-jose to PyJWT

python-jose nowadays unmaintained and contains some vulnerabilities such as mpdavis/python-jose#341 Therefore, we replace python-jose with PyJWT with is almost API-compatible and still maintained
kingjan1999 · Nov 21, 2024 · df50712 · df50712
1 parent 2fd79cc
commit df50712
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 13 deletions.
diff --git a/hubble/utils/jwks.py b/hubble/utils/jwks.py
@@ -1,4 +1,5 @@
 import requests
+from jwt import PyJWK
 
 from .api_utils import get_domain_url, get_json_from_response
 from .config import config
@@ -12,7 +13,7 @@ def get_keys(kid: str):
         if len(matching_jwks) > 0:
             return matching_jwks
         hubble_jwks = JSONWebKeySet.get_keys_from_hubble()
-        matching_jwks = [key for key in hubble_jwks if key['kid'] == kid]
+        matching_jwks = [PyJWK(key) for key in hubble_jwks if key['kid'] == kid]
         return matching_jwks
 
     @staticmethod

diff --git a/hubble/utils/jwt_parser.py b/hubble/utils/jwt_parser.py
@@ -1,7 +1,7 @@
 import base64
 import json
 
-from jose import jwt
+import jwt
 
 from .jwks import JSONWebKeySet
 
@@ -44,7 +44,7 @@ def validate_jwt(token: str, aud: str = None):
     try:
         decoded = jwt.decode(
             token,
-            json.dumps(keys[0]),
+            keys[0],
             algorithms=supported_algorithms,
             audience=aud,
             options={

diff --git a/requirements.txt b/requirements.txt
@@ -6,4 +6,4 @@ filelock
 pathspec
 docker
 pyyaml
-python-jose
+pyjwt[crypto]
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -1,7 +1,7 @@
 import tempfile
 
 import pytest
-from jose import jwt
+import jwt
 
 
 @pytest.fixture(autouse=True)

diff --git a/tests/unit/utils/test_jwt_parser.py b/tests/unit/utils/test_jwt_parser.py
@@ -6,9 +6,9 @@
     validate_back_channel_logout_jwt,
     validate_jwt,
 )
-from jose import jwt
+import jwt
 
-PRIVATE_KEY = {
+PRIVATE_KEY = jwt.PyJWK({
     "kty": "EC",
     "d": "iLw805NZwMRKwcXOmtDPGlB158S_PUkRVnlbmEMmO2E",
     "use": "sig",
@@ -17,29 +17,29 @@
     "x": "KmpjXcs-ZoVBTqhzI5rlTqq0-BASZUOUINkYCcZG9K8",
     "y": "z-jGVJXhv1pfh_ic8wWTE30p_2JT0aTshfxx_TtiMm0",
     "alg": "ES256",
-}
+})
 
-PUBLIC_KEY = {
+PUBLIC_KEY = jwt.PyJWK({
     "kty": "EC",
     "use": "sig",
     "crv": "P-256",
     "kid": "AO78Ls0d2WgEYpwUF1qv_TcBytohycSLByU5ugY7Fp8",
     "x": "KmpjXcs-ZoVBTqhzI5rlTqq0-BASZUOUINkYCcZG9K8",
     "y": "z-jGVJXhv1pfh_ic8wWTE30p_2JT0aTshfxx_TtiMm0",
     "alg": "ES256",
-}
+})
 
-OTHER_PUBLIC_KEY = {
+OTHER_PUBLIC_KEY = jwt.PyJWK({
     "kty": "EC",
     "use": "sig",
     "crv": "P-256",
     "kid": "t-_9dLjYMVjPJ44_4aRGqAm58KpHXnAh5XktKlkKUSQ",
     "x": "_KCLiE8ul1eTVWdObu31mF26a3BzIsP2G6b2wPYlHFA",
     "y": "N6e_WdVrjjxVPZScBVLdluPk91pqoDRyS1BZ0ImDzPI",
     "alg": "ES256",
-}
+})
 
-HEADERS = {'kid': PUBLIC_KEY['kid']}
+HEADERS = {'kid': PUBLIC_KEY.key_id}
 
 PAYLOAD = {
     'iss': 'http://localhost:3000',