PyPI - Authlib - Versions diffs - 1.6.4__tar.gz → 1.6.6__tar.gz - Mend

Authlib 1.6.4tar.gz → 1.6.6tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (214) hide show

{authlib-1.6.4 → authlib-1.6.6}/Authlib.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: Authlib
-Version: 1.6.4
+Version: 1.6.6
 Summary: The ultimate Python library in building OAuth and OpenID Connect servers and clients.
 Author-email: Hsiaoming Yang <me@lepture.com>
 License: BSD-3-Clause

{authlib-1.6.4 → authlib-1.6.6}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: Authlib
-Version: 1.6.4
+Version: 1.6.6
 Summary: The ultimate Python library in building OAuth and OpenID Connect servers and clients.
 Author-email: Hsiaoming Yang <me@lepture.com>
 License: BSD-3-Clause

{authlib-1.6.4 → authlib-1.6.6}/authlib/__init__.py RENAMED Viewed

@@ -1,4 +1,5 @@
-"""authlib.
+"""
+authlib
 ~~~~~~~
 The ultimate Python library in building OAuth 1.0, OAuth 2.0 and OpenID

{authlib-1.6.4 → authlib-1.6.6}/authlib/consts.py RENAMED Viewed

@@ -1,5 +1,5 @@
 name = "Authlib"
-version = "1.6.4"
+version = "1.6.6"
 author = "Hsiaoming Yang <me@lepture.com>"
 homepage = "https://authlib.org"
 default_user_agent = f"{name}/{version} (+{homepage})"

{authlib-1.6.4 → authlib-1.6.6}/authlib/integrations/base_client/framework_integration.py RENAMED Viewed

@@ -20,11 +20,9 @@ class FrameworkIntegration:
     def _clear_session_state(self, session):
         now = time.time()
+        prefix = f"_state_{self.name}"
         for key in dict(session):
-            if "_authlib_" in key:
-                # TODO: remove in future
-                session.pop(key)
-            elif key.startswith("_state_"):
+            if key.startswith(prefix):
                 value = session[key]
                 exp = value.get("exp")
                 if not exp or exp < now:
@@ -32,29 +30,32 @@ class FrameworkIntegration:
     def get_state_data(self, session, state):
         key = f"_state_{self.name}_{state}"
+        session_data = session.get(key)
+        if not session_data:
+            return None
         if self.cache:
-            value = self._get_cache_data(key)
+            cached_value = self._get_cache_data(key)
         else:
-            value = session.get(key)
-        if value:
-            return value.get("data")
+            cached_value = session_data
+        if cached_value:
+            return cached_value.get("data")
         return None
     def set_state_data(self, session, state, data):
         key = f"_state_{self.name}_{state}"
+        now = time.time()
         if self.cache:
             self.cache.set(key, json.dumps({"data": data}), self.expires_in)
+            session[key] = {"exp": now + self.expires_in}
         else:
-            now = time.time()
             session[key] = {"data": data, "exp": now + self.expires_in}
     def clear_state_data(self, session, state):
         key = f"_state_{self.name}_{state}"
         if self.cache:
             self.cache.delete(key)
-        else:
-            session.pop(key, None)
-            self._clear_session_state(session)
+        session.pop(key, None)
+        self._clear_session_state(session)
     def update_token(self, token, refresh_token=None, access_token=None):
         raise NotImplementedError()

{authlib-1.6.4 → authlib-1.6.6}/authlib/jose/rfc7515/jws.py RENAMED Viewed

@@ -34,6 +34,8 @@ class JsonWebSignature:
         ]
     )
+    MAX_CONTENT_LENGTH: int = 256000
     #: Defined available JWS algorithms in the registry
     ALGORITHMS_REGISTRY = {}
@@ -89,6 +91,9 @@ class JsonWebSignature:
         .. _`Section 7.1`: https://tools.ietf.org/html/rfc7515#section-7.1
         """
+        if len(s) > self.MAX_CONTENT_LENGTH:
+            raise ValueError("Serialization is too long.")
         try:
             s = to_bytes(s)
             signing_input, signature_segment = s.rsplit(b".", 1)

authlib-1.6.6/authlib/jose/rfc7518/jwe_zips.py ADDED Viewed

@@ -0,0 +1,34 @@
+import zlib
+from ..rfc7516 import JsonWebEncryption
+from ..rfc7516 import JWEZipAlgorithm
+GZIP_HEAD = bytes([120, 156])
+MAX_SIZE = 250 * 1024
+class DeflateZipAlgorithm(JWEZipAlgorithm):
+    name = "DEF"
+    description = "DEFLATE"
+    def compress(self, s: bytes) -> bytes:
+        """Compress bytes data with DEFLATE algorithm."""
+        data = zlib.compress(s)
+        # https://datatracker.ietf.org/doc/html/rfc1951
+        # since DEF is always gzip, we can drop gzip headers and tail
+        return data[2:-4]
+    def decompress(self, s: bytes) -> bytes:
+        """Decompress DEFLATE bytes data."""
+        if s.startswith(GZIP_HEAD):
+            decompressor = zlib.decompressobj()
+        else:
+            decompressor = zlib.decompressobj(-zlib.MAX_WBITS)
+        value = decompressor.decompress(s, MAX_SIZE)
+        if decompressor.unconsumed_tail:
+            raise ValueError(f"Decompressed string exceeds {MAX_SIZE} bytes")
+        return value
+def register_jwe_rfc7518():
+    JsonWebEncryption.register_algorithm(DeflateZipAlgorithm())

{authlib-1.6.4 → authlib-1.6.6}/authlib/jose/util.py RENAMED Viewed

@@ -7,6 +7,9 @@ from authlib.jose.errors import DecodeError
 def extract_header(header_segment, error_cls):
+    if len(header_segment) > 256000:
+        raise ValueError("Value of header is too long")
     header_data = extract_segment(header_segment, error_cls, "header")
     try:
@@ -20,6 +23,9 @@ def extract_header(header_segment, error_cls):
 def extract_segment(segment, error_cls, name="payload"):
+    if len(segment) > 256000:
+        raise ValueError(f"Value of {name} is too long")
     try:
         return urlsafe_b64decode(segment)
     except (TypeError, binascii.Error) as exc:

{authlib-1.6.4 → authlib-1.6.6}/authlib/oauth1/rfc5849/client_auth.py RENAMED Viewed

@@ -172,6 +172,8 @@ class ClientAuth:
         if CONTENT_TYPE_FORM_URLENCODED in content_type:
             headers["Content-Type"] = CONTENT_TYPE_FORM_URLENCODED
+            if isinstance(body, bytes):
+                body = body.decode()
             uri, headers, body = self.sign(method, uri, headers, body)
         elif self.force_include_body:
             # To allow custom clients to work on non form encoded bodies.

{authlib-1.6.4 → authlib-1.6.6}/authlib/oauth2/rfc6749/parameters.py RENAMED Viewed

@@ -54,9 +54,14 @@ def prepare_grant_uri(
     if state:
         params.append(("state", state))
-    for k in kwargs:
-        if kwargs[k] is not None:
-            params.append((to_unicode(k), kwargs[k]))
+    for k, value in kwargs.items():
+        if value is not None:
+            if isinstance(value, (list, tuple)):
+                for v in value:
+                    if v is not None:
+                        params.append((to_unicode(k), v))
+            else:
+                params.append((to_unicode(k), value))
     return add_params_to_uri(uri, params)

{authlib-1.6.4 → authlib-1.6.6}/authlib/oauth2/rfc6749/wrappers.py RENAMED Viewed

@@ -4,15 +4,26 @@ import time
 class OAuth2Token(dict):
     def __init__(self, params):
         if params.get("expires_at"):
-            params["expires_at"] = int(params["expires_at"])
+            try:
+                params["expires_at"] = int(params["expires_at"])
+            except ValueError:
+                # If expires_at is not parseable, fall back to expires_in if available
+                # Otherwise leave expires_at untouched
+                if params.get("expires_in"):
+                    params["expires_at"] = int(time.time()) + int(params["expires_in"])
         elif params.get("expires_in"):
             params["expires_at"] = int(time.time()) + int(params["expires_in"])
         super().__init__(params)
     def is_expired(self, leeway=60):
         expires_at = self.get("expires_at")
         if not expires_at:
             return None
+        # Only check expiration if expires_at is an integer
+        if not isinstance(expires_at, int):
+            return None
         # small timedelta to consider token as expired before it actually expires
         expiration_threshold = expires_at - leeway
         return expiration_threshold < time.time()

{authlib-1.6.4 → authlib-1.6.6}/authlib/oauth2/rfc7591/endpoint.py RENAMED Viewed

@@ -4,6 +4,7 @@ import time
 from authlib.common.security import generate_token
 from authlib.consts import default_json_headers
+from authlib.deprecate import deprecate
 from authlib.jose import JoseError
 from authlib.jose import JsonWebToken
@@ -41,7 +42,7 @@ class ClientRegistrationEndpoint:
         request.credential = token
         client_metadata = self.extract_client_metadata(request)
-        client_info = self.generate_client_info()
+        client_info = self.generate_client_info(request)
         body = {}
         body.update(client_metadata)
         body.update(client_info)
@@ -91,10 +92,28 @@ class ClientRegistrationEndpoint:
         except JoseError as exc:
             raise InvalidSoftwareStatementError() from exc
-    def generate_client_info(self):
+    def generate_client_info(self, request):
         # https://tools.ietf.org/html/rfc7591#section-3.2.1
-        client_id = self.generate_client_id()
-        client_secret = self.generate_client_secret()
+        try:
+            client_id = self.generate_client_id(request)
+        except TypeError:  # pragma: no cover
+            client_id = self.generate_client_id()
+            deprecate(
+                "generate_client_id takes a 'request' parameter. "
+                "It will become mandatory in coming releases",
+                version="1.8",
+            )
+        try:
+            client_secret = self.generate_client_secret(request)
+        except TypeError:  # pragma: no cover
+            client_secret = self.generate_client_secret()
+            deprecate(
+                "generate_client_secret takes a 'request' parameter. "
+                "It will become mandatory in coming releases",
+                version="1.8",
+            )
         client_id_issued_at = int(time.time())
         client_secret_expires_at = 0
         return dict(
@@ -114,13 +133,13 @@ class ClientRegistrationEndpoint:
     def create_endpoint_request(self, request):
         return self.server.create_json_request(request)
-    def generate_client_id(self):
+    def generate_client_id(self, request):
         """Generate ``client_id`` value. Developers MAY rewrite this method
         to use their own way to generate ``client_id``.
         """
         return generate_token(42)
-    def generate_client_secret(self):
+    def generate_client_secret(self, request):
         """Generate ``client_secret`` value. Developers MAY rewrite this method
         to use their own way to generate ``client_secret``.
         """

{authlib-1.6.4 → authlib-1.6.6}/authlib/oidc/core/grants/code.py RENAMED Viewed

@@ -8,6 +8,7 @@ per `Section 3.1`_.
 """
 import logging
+import warnings
 from authlib.oauth2.rfc6749 import OAuth2Request
@@ -20,7 +21,7 @@ log = logging.getLogger(__name__)
 class OpenIDToken:
-    def get_jwt_config(self, grant):  # pragma: no cover
+    def get_jwt_config(self, grant, client):  # pragma: no cover
         """Get the JWT configuration for OpenIDCode extension. The JWT
         configuration will be used to generate ``id_token``.
         If ``alg`` is undefined, the ``id_token_signed_response_alg`` client
@@ -29,15 +30,16 @@ class OpenIDToken:
         will be used.
         Developers MUST implement this method in subclass, e.g.::
-            def get_jwt_config(self, grant):
+            def get_jwt_config(self, grant, client):
                 return {
                     "key": read_private_key_file(key_path),
-                    "alg": "RS256",
+                    "alg": client.id_token_signed_response_alg or "RS256",
                     "iss": "issuer-identity",
                     "exp": 3600,
                 }
         :param grant: AuthorizationCodeGrant instance
+        :param client: OAuth2 client instance
         :return: dict
         """
         raise NotImplementedError()
@@ -78,7 +80,17 @@ class OpenIDToken:
         request: OAuth2Request = grant.request
         authorization_code = request.authorization_code
-        config = self.get_jwt_config(grant)
+        try:
+            config = self.get_jwt_config(grant, request.client)
+        except TypeError:
+            warnings.warn(
+                "get_jwt_config(self, grant) is deprecated and will be removed in version 1.8. "
+                "Use get_jwt_config(self, grant, client) instead.",
+                DeprecationWarning,
+                stacklevel=2,
+            )
+            config = self.get_jwt_config(grant)
         config["aud"] = self.get_audiences(request)
         # Per OpenID Connect Registration 1.0 Section 2:

{authlib-1.6.4 → authlib-1.6.6}/authlib/oidc/core/grants/implicit.py RENAMED Viewed

@@ -1,4 +1,5 @@
 import logging
+import warnings
 from authlib.oauth2.rfc6749 import AccessDeniedError
 from authlib.oauth2.rfc6749 import ImplicitGrant
@@ -36,19 +37,20 @@ class OpenIDImplicitGrant(ImplicitGrant):
         """
         raise NotImplementedError()
-    def get_jwt_config(self):
+    def get_jwt_config(self, client):
         """Get the JWT configuration for OpenIDImplicitGrant. The JWT
         configuration will be used to generate ``id_token``. Developers
         MUST implement this method in subclass, e.g.::
-            def get_jwt_config(self):
+            def get_jwt_config(self, client):
                 return {
                     "key": read_private_key_file(key_path),
-                    "alg": "RS256",
+                    "alg": client.id_token_signed_response_alg or "RS256",
                     "iss": "issuer-identity",
                     "exp": 3600,
                 }
+        :param client: OAuth2 client instance
         :return: dict
         """
         raise NotImplementedError()
@@ -143,7 +145,17 @@ class OpenIDImplicitGrant(ImplicitGrant):
         return params
     def process_implicit_token(self, token, code=None):
-        config = self.get_jwt_config()
+        try:
+            config = self.get_jwt_config(self.request.client)
+        except TypeError:
+            warnings.warn(
+                "get_jwt_config(self) is deprecated and will be removed in version 1.8. "
+                "Use get_jwt_config(self, client) instead.",
+                DeprecationWarning,
+                stacklevel=2,
+            )
+            config = self.get_jwt_config()
         config["aud"] = self.get_audiences(self.request)
         config["nonce"] = self.request.payload.data.get("nonce")
         if code is not None:

authlib-1.6.4/authlib/jose/rfc7518/jwe_zips.py DELETED Viewed

@@ -1,23 +0,0 @@
-import zlib
-from ..rfc7516 import JsonWebEncryption
-from ..rfc7516 import JWEZipAlgorithm
-class DeflateZipAlgorithm(JWEZipAlgorithm):
-    name = "DEF"
-    description = "DEFLATE"
-    def compress(self, s):
-        """Compress bytes data with DEFLATE algorithm."""
-        data = zlib.compress(s)
-        # drop gzip headers and tail
-        return data[2:-4]
-    def decompress(self, s):
-        """Decompress DEFLATE bytes data."""
-        return zlib.decompress(s, -zlib.MAX_WBITS)
-def register_jwe_rfc7518():
-    JsonWebEncryption.register_algorithm(DeflateZipAlgorithm())