commonground-api-common 2.6.5__py3-none-any.whl → 2.6.7__py3-none-any.whl

{commonground_api_common-2.6.5.dist-info → commonground_api_common-2.6.7.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: commonground-api-common
-Version: 2.6.5
+Version: 2.6.7
 Summary: Commonground API tooling
 Home-page: https://github.com/maykinmedia/commonground-api-common
 Author: Maykin Media, VNG-Realisatie
@@ -32,7 +32,7 @@ Requires-Dist: iso639-lang
 Requires-Dist: notifications-api-common>=0.3.1
 Requires-Dist: zgw-consumers>=0.35.1
 Requires-Dist: oyaml
-Requires-Dist: PyJWT>=2.1.1
+Requires-Dist: PyJWT>=2.10.1
 Requires-Dist: requests
 Requires-Dist: coreapi
 Requires-Dist: ape-pie
@@ -48,7 +48,7 @@ Requires-Dist: psycopg2; extra == "tests"
 Requires-Dist: pytest; extra == "tests"
 Requires-Dist: pytest-django; extra == "tests"
 Requires-Dist: pytest-dotenv; extra == "tests"
-Requires-Dist: pytest-factoryboy; extra == "tests"
+Requires-Dist: pytest-factoryboy>=2.8.0; extra == "tests"
 Requires-Dist: tox; extra == "tests"
 Requires-Dist: ruff; extra == "tests"
 Requires-Dist: requests-mock; extra == "tests"
@@ -76,7 +76,7 @@ Commonground-API-common - Tooling voor RESTful APIs
 ===================================================
 
 
-:Version: 2.6.5
+:Version: 2.6.7
 :Source: https://github.com/maykinmedia/commonground-api-common
 :PythonVersion: 3.12
 
@@ -109,7 +109,7 @@ Features
     * Niet-negatieve waarde validator
     * Alfanumerieke waarde (zonder diacritics)
     * URL-validator (test dat URL bestaat) met pluggable link-checker
-    * ``UntilNowValidator`` - valideer datetimes tot en met *nu*.
+    * ``UntilNowValidator`` - valideer datetimes tot en met *nu*. (Via de TIME_LEEWAY setting kan speling worden toegevoegd)
     * ``UniekeIdentificatieValidator`` (in combinatie met organisatie)
     * ``InformatieObjectUniqueValidator`` om te valideren dat M2M entries
       slechts eenmalig voorkomen

{commonground_api_common-2.6.5.dist-info → commonground_api_common-2.6.7.dist-info}/RECORD

@@ -1,5 +1,5 @@
-commonground_api_common-2.6.5.data/scripts/generate_schema,sha256=OpKgzlFc_uzA3TVW_vHSYXAD_feLaCdTEnkWjIcxVzA,280
-vng_api_common/__init__.py,sha256=b8L3dijps7oaMPmOpJzOuXwvOcbIuro9wWmuPwiL87o,22
+commonground_api_common-2.6.7.data/scripts/generate_schema,sha256=OpKgzlFc_uzA3TVW_vHSYXAD_feLaCdTEnkWjIcxVzA,280
+vng_api_common/__init__.py,sha256=Kc2cyTvfIdfaMxraNhj61Hw9Mr3C-eTCdQPLK5KH1AQ,22
 vng_api_common/admin.py,sha256=WiD6afzO9sJh_Nz7TKsxCiGm49vS0qQH1PxyXnGpEt8,204
 vng_api_common/apps.py,sha256=QQiJXRmjX9Q91oh0P9fvVnHe3NSYd1cEcUUBw0HLBCA,3690
 vng_api_common/checks.py,sha256=tOyfV7MMLGh4anrd_W30LvJCxiyQ4sFs1mGd9mtrEc0,1175
@@ -32,7 +32,7 @@ vng_api_common/search.py,sha256=yehS6boCOk1JXLCqAMU-B62hWtbTBSf_WKIVGPgp0Mg,1045
 vng_api_common/serializers.py,sha256=ohdUC11RGMxZQcN2ekLappgT4SbYz12o4GZ7maVS3RY,13464
 vng_api_common/urls.py,sha256=9IWHYLlEIIHNaZ_Zq02qNQ2HJpETb7o-89r7yBM_tQs,270
 vng_api_common/utils.py,sha256=EHqVjZhtqnbU7YrqgYIBss28Sd19jtnTLNaMWLfj3Zw,8203
-vng_api_common/validators.py,sha256=oXCSuX1S2vtOW3qlPMNOCHo2W-4R0pkcXnZb2xV9ILs,12845
+vng_api_common/validators.py,sha256=tZkjHPXfcG1FxGXCSNnyFkMQPzFHhlxfyOfNdEOb5js,12978
 vng_api_common/version.py,sha256=yJV9_yTM7Qnzg0zGNkJQkN9Uai3I_ZUkcyseJRPRk5I,129
 vng_api_common/views.py,sha256=ARqNuPlrZ0ctzkHTNs7NMyzrji2LvRmrmzrSNmtS-v0,7603
 vng_api_common/viewsets.py,sha256=jAXKHFRBhNKzkjugpYnXkE2zKvCWwKwZA6_VoiTWjvw,2286
@@ -76,7 +76,7 @@ vng_api_common/audittrails/migrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCe
 vng_api_common/audittrails/migrations/_operations.py,sha256=UOMv0zAK8CIQ73cSu6wwQG_hkW46Isdy7JCnljn8GII,3280
 vng_api_common/authorizations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vng_api_common/authorizations/admin.py,sha256=Tk0yYKbb005E0XZaYYWbucMf_K5M8Hhz62wSBDi8rhM,813
-vng_api_common/authorizations/middleware.py,sha256=KJ3znCXPRMOVqSur62SmBjvC6RcKxtcWq1rzaHdYR98,8416
+vng_api_common/authorizations/middleware.py,sha256=hbjGeg2UZ20QPSgZ8yMonDOS2dfrvFKPaxTcpoyH7gs,10446
 vng_api_common/authorizations/models.py,sha256=-PwbFceloUz6pbfFp2DB3YfioC2xq63YDm-EVc3U3HE,5160
 vng_api_common/authorizations/serializers.py,sha256=3HeKWEqhI3UWwI8SttC4rEID-Epbk7SWsC-bEjolbaw,5151
 vng_api_common/authorizations/utils.py,sha256=GSeHVXia-GHGCN_E4u671r4pGssvcyp9osKFf8Fc8v4,590
@@ -107,7 +107,7 @@ vng_api_common/caching/models.py,sha256=RroS9HFiKNXDV59Odh0x8BO8Az8E81v4gwuprF1A
 vng_api_common/caching/registry.py,sha256=oXE4kMnVpdp7qvb_goVkCTY5qeY8kB3EDKVX65fPtYc,6207
 vng_api_common/caching/signals.py,sha256=78ej5cVan-JpNHKzZNAfs0m2ON_TXKphe8ZKtP-6FVY,4615
 vng_api_common/conf/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-vng_api_common/conf/api.py,sha256=tNShwZevKpJ6n713pPGPuUpThcPq-057JAd3xSHW5sU,3158
+vng_api_common/conf/api.py,sha256=FTiT_HYL2pzRF9o5aAsPErwo8wsphxOFM2RNVBxBFi8,3197
 vng_api_common/contrib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vng_api_common/contrib/setup_configuration/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vng_api_common/contrib/setup_configuration/models.py,sha256=1-G0hXeRe-x6GYtsAaQeMGXq0-cwU5LMb8KTQWj-pQk,1201
@@ -180,11 +180,11 @@ vng_api_common/templates/vng_api_common/ref/scopes.html,sha256=M3lTbnTOFr1OqDxkK
 vng_api_common/templatetags/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vng_api_common/templatetags/vng_api_common.py,sha256=j4Fu4rNErLcXStBbuZ9Zd_xD_ft0HA6kfpPz6wLXnOw,1251
 vng_api_common/tests/__init__.py,sha256=zBI2etwu2lEkKkIN1_cPuugJgPcoohQuJbdiUGtoceU,426
-vng_api_common/tests/auth.py,sha256=IKDWTEFv4Bign4F70-ibsFcnJqRxEJaXvqaPQJWa1xY,4544
+vng_api_common/tests/auth.py,sha256=fOTe8J69pk7axDPfY73vw4NcrIcTOGBvl0HEYD5Zc4Y,4614
 vng_api_common/tests/caching.py,sha256=zfIw5cRRvO9cekHZZKfRqZc8cx5IfJUYNmcH6cuIMg4,624
 vng_api_common/tests/schema.py,sha256=WDvifDQQiKqIpQijpeQ7rYkFroJmuPuHe7zNhl1Bigk,2293
 vng_api_common/tests/urls.py,sha256=PFrYzQbBC0TFPMEn3uPhcBG0IQs9JsEPqckicJT1UA4,2159
-commonground_api_common-2.6.5.dist-info/METADATA,sha256=2AptFlJ9JnnorQ-x3r2Ep60TKF7f6oxpSfM82GB32aM,7129
-commonground_api_common-2.6.5.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-commonground_api_common-2.6.5.dist-info/top_level.txt,sha256=vPismc83zPzWXTmlNCCwfDlFV9iygJYxNJW5iDjKTgw,15
-commonground_api_common-2.6.5.dist-info/RECORD,,
+commonground_api_common-2.6.7.dist-info/METADATA,sha256=HKmZYlZc5kA0yCwWIOz-zg7RyM141g1lNaJQFiY_qtI,7196
+commonground_api_common-2.6.7.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+commonground_api_common-2.6.7.dist-info/top_level.txt,sha256=vPismc83zPzWXTmlNCCwfDlFV9iygJYxNJW5iDjKTgw,15
+commonground_api_common-2.6.7.dist-info/RECORD,,

vng_api_common/__init__.py

@@ -1 +1 @@
-__version__ = "2.6.5"
+__version__ = "2.6.7"

vng_api_common/authorizations/middleware.py

@@ -1,4 +1,5 @@
 import logging
+import time
 from typing import Any, Dict, Iterable, List, Optional
 
 from django.conf import settings
@@ -108,7 +109,7 @@ class JWTAuth:
                     self.encoded,
                     algorithms=["HS256"],
                     options={"verify_signature": False},
-                    leeway=settings.JWT_LEEWAY,
+                    leeway=settings.TIME_LEEWAY,
                 )
             except jwt.DecodeError:
                 logger.info("Invalid JWT encountered")
@@ -146,13 +147,32 @@ class JWTAuth:
                     self.encoded,
                     key,
                     algorithms=["HS256"],
-                    leeway=settings.JWT_LEEWAY,
+                    leeway=settings.TIME_LEEWAY,
+                    options={
+                        "require": ["iat"],
+                        "verify_iat": False,
+                    },  # iat is validated in _check_jwt_expiry
                 )
             except jwt.InvalidSignatureError:
                 logger.exception("Invalid signature - possible payload tampering?")
                 raise PermissionDenied(
                     "Client credentials zijn niet geldig", code="invalid-jwt-signature"
                 )
+            except jwt.MissingRequiredClaimError as exc:
+                msg = "Missing required {} claim".format(exc.claim)
+                logger.exception(msg)
+                raise PermissionDenied(
+                    _(msg),
+                    code="jwt-missing-{}-claim".format(exc.claim),
+                )
+            except jwt.PyJWTError as exc:
+                logger.exception("Invalid JWT encountered")
+                raise PermissionDenied(
+                    _("JWT did not validate"),
+                    code="jwt-{}".format(type(exc).__name__.lower()),
+                )
+
+            self._check_jwt_expiry(payload)
 
             self._payload = payload
 
@@ -164,6 +184,37 @@ class JWTAuth:
             return None
         return self.payload["client_id"]
 
+    def _check_jwt_expiry(self, payload: Dict[str, Any]) -> None:
+        """
+        Verify that the token was issued recently enough.
+
+        The Django settings define how long a JWT is considered to be valid. Adding
+        that duration to the issued-at claim determines the upper limit for token
+        validity.
+        """
+        iat = payload.get("iat")
+
+        try:
+            iat = int(iat)
+        except ValueError:
+            raise PermissionDenied(_("The iat claim must be an integer."))
+
+        current_timestamp = time.time()
+        difference = current_timestamp - iat
+
+        if difference < -settings.TIME_LEEWAY:
+            logger.warning(
+                "The JWT used for this request is not valid yet, the `iat` claim is "
+                "newer than the current time stamp. You may want to check the clock drift "
+                "on the Open Zaak server and/or tweak the `TIME_LEEWAY` setting.",
+                extra={"payload": payload},
+            )
+
+        if difference >= (settings.JWT_EXPIRY + settings.TIME_LEEWAY):
+            raise PermissionDenied(
+                _("The JWT used for this request is expired"), code="jwt-expired"
+            )
+
     def filter_vertrouwelijkheidaanduiding(self, base: QuerySet, value) -> QuerySet:
         if value is None:
             return base

vng_api_common/conf/api.py

@@ -8,7 +8,8 @@ __all__ = [
     "GEMMA_URL_INFORMATIEMODEL_VERSIE",
     "GEMMA_URL_INFORMATIEMODEL",
     "GEMMA_URL_TEMPLATE",
-    "JWT_LEEWAY",
+    "TIME_LEEWAY",
+    "JWT_EXPIRY",
     "JWT_SPECTACULAR_SETTINGS",
     "LINK_FETCHER",
     "NOTIFICATIONS_DISABLED",
@@ -95,6 +96,8 @@ vng_repo = "VNG-Realisatie/vng-api-common"
 vng_branch = "ref-responses"
 COMMON_SPEC = f"https://raw.githubusercontent.com/{vng_repo}/feature/{vng_branch}/vng_api_common/schemas/common.yaml"
 
-JWT_LEEWAY = 0  # default in PyJWT
+TIME_LEEWAY = 0  # default in PyJWT
+
+JWT_EXPIRY = 3600
 
 COMMONGROUND_API_COMMON_GET_DOMAIN = "vng_api_common.utils.get_site_domain"

vng_api_common/tests/auth.py

@@ -26,6 +26,8 @@ class AuthCheckMixin:
         request_kwargs = request_kwargs or {}
 
         with self.subTest(case="JWT missing"):
+            self.client.credentials()  # explicity clear credentials
+
             response = do_request(url, **request_kwargs)
 
             self.assertEqual(

vng_api_common/validators.py

@@ -1,6 +1,7 @@
 import json
 import logging
 import re
+from datetime import timedelta
 from typing import Callable
 
 from django.conf import settings
@@ -277,6 +278,8 @@ class UntilNowValidator:
     Validate a datetime to not be in the future.
 
     This means that `now` is included.
+
+    Some leeway can be added with the TIME_LEEWAY setting.
     """
 
     message = _("Ensure this value is not in the future.")
@@ -284,7 +287,7 @@ class UntilNowValidator:
 
     @property
     def limit_value(self):
-        return timezone.now()
+        return timezone.now() + timedelta(seconds=settings.TIME_LEEWAY)
 
     def __call__(self, value):
         if value > self.limit_value: