Make the library secure agen

[pvizeli]

https://blog.sqreen.io/stop-using-pycrypto-use-pycryptodome/

[codecov-io]

Codecov Report

Merging #83 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master      #83   +/-   ##
=======================================
  Coverage   93.69%   93.69%           
=======================================
  Files          12       12           
  Lines         841      841           
=======================================
  Hits          788      788           
  Misses         53       53

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 28cc671...b08a58f. Read the comment docs.

[mpdavis]

lgtm

[zejn]

Hi,

I don't think having a hard requirement on pycryptodome is ok, if you want to use pycrypto on GAE, because pycryptodome installs in the same namespace as pycrypto.

The only viable solution I currently see (if support for old GAE is still an option) is having a pure-Python RSA signing, with optional C backends, which the developers should choose themselves by specifying python-jose[cryptography] or python-jose[pycryptodome] or python[pycrypto]. Pycrypto and pycryptodome are mutually exclusive since they install in the same namespace, and cryptography might not be an option if installing on GAE.

[mpdavis]

@zejn I believe you are correct.

I will prioritze your pure python RSA backend, and remove the requirement entirely, allowing for the override you describe.