PyPI - commonground-api-common - Versions diffs - 2.6.5__tar.gz → 2.6.7__tar.gz - Mend

commonground-api-common 2.6.5tar.gz → 2.6.7tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (229) hide show

{commonground_api_common-2.6.5 → commonground_api_common-2.6.7}/CHANGELOG.rst RENAMED Viewed

@@ -2,6 +2,23 @@
 Change history
 ==============
+2.6.7 (2025-06-30)
+------------------
+**Bugfixes**
+* [#103] Fix 500 error that occurred with ``iat`` in future, log a warning
+* Add JWT expiry validation based on ``iat``
+**Maintenance**
+* Upgrade PyJWT to 2.10.1
+2.6.6 (2025-06-04)
+------------------
+* [open-zaak/open-zaak#635] Rename JWT_LEEWAY setting to TIME_LEEWAY and add it to UntilNowValidator
 2.6.5 (2025-05-27)
 ------------------

{commonground_api_common-2.6.5/commonground_api_common.egg-info → commonground_api_common-2.6.7}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: commonground-api-common
-Version: 2.6.5
+Version: 2.6.7
 Summary: Commonground API tooling
 Home-page: https://github.com/maykinmedia/commonground-api-common
 Author: Maykin Media, VNG-Realisatie
@@ -32,7 +32,7 @@ Requires-Dist: iso639-lang
 Requires-Dist: notifications-api-common>=0.3.1
 Requires-Dist: zgw-consumers>=0.35.1
 Requires-Dist: oyaml
-Requires-Dist: PyJWT>=2.1.1
+Requires-Dist: PyJWT>=2.10.1
 Requires-Dist: requests
 Requires-Dist: coreapi
 Requires-Dist: ape-pie
@@ -48,7 +48,7 @@ Requires-Dist: psycopg2; extra == "tests"
 Requires-Dist: pytest; extra == "tests"
 Requires-Dist: pytest-django; extra == "tests"
 Requires-Dist: pytest-dotenv; extra == "tests"
-Requires-Dist: pytest-factoryboy; extra == "tests"
+Requires-Dist: pytest-factoryboy>=2.8.0; extra == "tests"
 Requires-Dist: tox; extra == "tests"
 Requires-Dist: ruff; extra == "tests"
 Requires-Dist: requests-mock; extra == "tests"
@@ -76,7 +76,7 @@ Commonground-API-common - Tooling voor RESTful APIs
 ===================================================
-:Version: 2.6.5
+:Version: 2.6.7
 :Source: https://github.com/maykinmedia/commonground-api-common
 :PythonVersion: 3.12
@@ -109,7 +109,7 @@ Features
     * Niet-negatieve waarde validator
     * Alfanumerieke waarde (zonder diacritics)
     * URL-validator (test dat URL bestaat) met pluggable link-checker
-    * ``UntilNowValidator`` - valideer datetimes tot en met *nu*.
+    * ``UntilNowValidator`` - valideer datetimes tot en met *nu*. (Via de TIME_LEEWAY setting kan speling worden toegevoegd)
     * ``UniekeIdentificatieValidator`` (in combinatie met organisatie)
     * ``InformatieObjectUniqueValidator`` om te valideren dat M2M entries
       slechts eenmalig voorkomen

{commonground_api_common-2.6.5 → commonground_api_common-2.6.7}/README.rst RENAMED Viewed

@@ -3,7 +3,7 @@ Commonground-API-common - Tooling voor RESTful APIs
 ===================================================
-:Version: 2.6.5
+:Version: 2.6.7
 :Source: https://github.com/maykinmedia/commonground-api-common
 :PythonVersion: 3.12
@@ -36,7 +36,7 @@ Features
     * Niet-negatieve waarde validator
     * Alfanumerieke waarde (zonder diacritics)
     * URL-validator (test dat URL bestaat) met pluggable link-checker
-    * ``UntilNowValidator`` - valideer datetimes tot en met *nu*.
+    * ``UntilNowValidator`` - valideer datetimes tot en met *nu*. (Via de TIME_LEEWAY setting kan speling worden toegevoegd)
     * ``UniekeIdentificatieValidator`` (in combinatie met organisatie)
     * ``InformatieObjectUniqueValidator`` om te valideren dat M2M entries
       slechts eenmalig voorkomen

{commonground_api_common-2.6.5 → commonground_api_common-2.6.7/commonground_api_common.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: commonground-api-common
-Version: 2.6.5
+Version: 2.6.7
 Summary: Commonground API tooling
 Home-page: https://github.com/maykinmedia/commonground-api-common
 Author: Maykin Media, VNG-Realisatie
@@ -32,7 +32,7 @@ Requires-Dist: iso639-lang
 Requires-Dist: notifications-api-common>=0.3.1
 Requires-Dist: zgw-consumers>=0.35.1
 Requires-Dist: oyaml
-Requires-Dist: PyJWT>=2.1.1
+Requires-Dist: PyJWT>=2.10.1
 Requires-Dist: requests
 Requires-Dist: coreapi
 Requires-Dist: ape-pie
@@ -48,7 +48,7 @@ Requires-Dist: psycopg2; extra == "tests"
 Requires-Dist: pytest; extra == "tests"
 Requires-Dist: pytest-django; extra == "tests"
 Requires-Dist: pytest-dotenv; extra == "tests"
-Requires-Dist: pytest-factoryboy; extra == "tests"
+Requires-Dist: pytest-factoryboy>=2.8.0; extra == "tests"
 Requires-Dist: tox; extra == "tests"
 Requires-Dist: ruff; extra == "tests"
 Requires-Dist: requests-mock; extra == "tests"
@@ -76,7 +76,7 @@ Commonground-API-common - Tooling voor RESTful APIs
 ===================================================
-:Version: 2.6.5
+:Version: 2.6.7
 :Source: https://github.com/maykinmedia/commonground-api-common
 :PythonVersion: 3.12
@@ -109,7 +109,7 @@ Features
     * Niet-negatieve waarde validator
     * Alfanumerieke waarde (zonder diacritics)
     * URL-validator (test dat URL bestaat) met pluggable link-checker
-    * ``UntilNowValidator`` - valideer datetimes tot en met *nu*.
+    * ``UntilNowValidator`` - valideer datetimes tot en met *nu*. (Via de TIME_LEEWAY setting kan speling worden toegevoegd)
     * ``UniekeIdentificatieValidator`` (in combinatie met organisatie)
     * ``InformatieObjectUniqueValidator`` om te valideren dat M2M entries
       slechts eenmalig voorkomen

{commonground_api_common-2.6.5 → commonground_api_common-2.6.7}/commonground_api_common.egg-info/requires.txt RENAMED Viewed

@@ -10,7 +10,7 @@ iso639-lang
 notifications-api-common>=0.3.1
 zgw-consumers>=0.35.1
 oyaml
-PyJWT>=2.1.1
+PyJWT>=2.10.1
 requests
 coreapi
 ape-pie
@@ -47,7 +47,7 @@ psycopg2
 pytest
 pytest-django
 pytest-dotenv
-pytest-factoryboy
+pytest-factoryboy>=2.8.0
 tox
 ruff
 requests-mock

{commonground_api_common-2.6.5 → commonground_api_common-2.6.7}/setup.cfg RENAMED Viewed

@@ -1,6 +1,6 @@
 [metadata]
 name = commonground-api-common
-version = 2.6.5
+version = 2.6.7
 description = Commonground API tooling
 long_description = file: README.rst
 url = https://github.com/maykinmedia/commonground-api-common
@@ -42,7 +42,7 @@ install_requires =
 	notifications-api-common>=0.3.1
 	zgw-consumers>=0.35.1
 	oyaml
-	PyJWT>=2.1.1
+	PyJWT>=2.10.1
 	requests
 	coreapi
 	ape-pie
@@ -74,7 +74,7 @@ tests =
 	pytest
 	pytest-django
 	pytest-dotenv
-	pytest-factoryboy
+	pytest-factoryboy>=2.8.0
 	tox
 	ruff
 	requests-mock

commonground_api_common-2.6.7/tests/test_jwt_decoding.py ADDED Viewed

@@ -0,0 +1,231 @@
+from datetime import datetime
+import jwt
+import pytest
+from freezegun import freeze_time
+from rest_framework.exceptions import PermissionDenied
+from vng_api_common.authorizations.middleware import JWTAuth
+from vng_api_common.models import JWTSecret
+@pytest.mark.django_db
+def test_jwt_decode_ok():
+    secret = "secret"
+    JWTSecret.objects.create(identifier="client", secret=secret)
+    timestamp = int(datetime.now().timestamp())
+    token = jwt.encode(
+        {"client_id": "client", "iat": timestamp}, secret, algorithm="HS256"
+    )
+    auth = JWTAuth(token)
+    payload = auth.payload
+    assert auth.client_id == "client"
+    assert payload == {"client_id": "client", "iat": timestamp}
+@pytest.mark.django_db
+def test_jwt_decode_missing_iat():
+    secret = "secret"
+    JWTSecret.objects.create(identifier="client", secret=secret)
+    token = jwt.encode({"client_id": "client"}, secret, algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload
+@pytest.mark.django_db
+def test_jwt_decode_str_iat():
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    payload = {
+        "client_id": "client",
+        "iat": "timestamp",
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_nbf_validated():
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp,
+        "nbf": timestamp + 1,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_nbf_validated_with_leeway(settings):
+    settings.TIME_LEEWAY = 3
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp,
+        "nbf": timestamp + 1,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_nbf_validated_with_leeway_not_enough(settings):
+    settings.TIME_LEEWAY = 3
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp,
+        "nbf": timestamp + 10,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_iat_validated():
+    """jwt iat in future only logs a warning"""
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp + 1,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_iat_validated_with_leeway(settings):
+    settings.TIME_LEEWAY = 3
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp + 1,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_iat_validated_with_leeway_not_enough(settings):
+    """jwt iat in future only logs a warning"""
+    settings.TIME_LEEWAY = 3
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp + 10,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_exp_ok():
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {"client_id": "client", "iat": timestamp}
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_exp_within_exp_setting():
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {"client_id": "client", "iat": timestamp - 1000}
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_exp_validated(settings):
+    settings.JWT_EXPIRY = 3600
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {"client_id": "client", "iat": timestamp - 3601}
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_exp_validated_with_leeway(settings):
+    settings.JWT_EXPIRY = 3600
+    settings.TIME_LEEWAY = 5
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {"client_id": "client", "iat": timestamp - 3603}
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_exp_validated_with_leeway_not_enough(settings):
+    settings.JWT_EXPIRY = 3600
+    settings.TIME_LEEWAY = 5
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {"client_id": "client", "iat": timestamp - 3610}
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload

{commonground_api_common-2.6.5 → commonground_api_common-2.6.7}/tests/test_validators.py RENAMED Viewed

@@ -1,10 +1,14 @@
+from datetime import datetime, timezone
 from django.core.exceptions import ValidationError
 import pytest
+from freezegun import freeze_time
 from vng_api_common.validators import (
     AlphanumericExcludingDiacritic,
     BaseIdentifierValidator,
+    UntilNowValidator,
     validate_bsn,
     validate_rsin,
 )
@@ -104,3 +108,18 @@ def test_invalid_rsin():
     with pytest.raises(ValidationError) as error:
         validate_rsin("12345678")  # validate_length
     assert "Waarde moet 9 tekens lang zijn" in str(error.value)
+@freeze_time("2021-08-23T14:20:00")
+def test_invalid_date():
+    validator = UntilNowValidator()
+    with pytest.raises(ValidationError) as error:
+        validator(datetime(2021, 8, 23, 14, 20, 4, tzinfo=timezone.utc))
+    assert "Ensure this value is not in the future." in str(error.value)
+@freeze_time("2021-08-23T14:20:00")
+def test_invalid_date_with_leeway(settings):
+    settings.TIME_LEEWAY = 5
+    validator = UntilNowValidator()
+    validator(datetime(2021, 8, 23, 14, 20, 4, tzinfo=timezone.utc))

commonground_api_common-2.6.7/vng_api_common/__init__.py ADDED Viewed

	@@ -0,0 +1 @@
1	+ __version__ = "2.6.7"

{commonground_api_common-2.6.5 → commonground_api_common-2.6.7}/vng_api_common/authorizations/middleware.py RENAMED Viewed

@@ -1,4 +1,5 @@
 import logging
+import time
 from typing import Any, Dict, Iterable, List, Optional
 from django.conf import settings
@@ -108,7 +109,7 @@ class JWTAuth:
                     self.encoded,
                     algorithms=["HS256"],
                     options={"verify_signature": False},
-                    leeway=settings.JWT_LEEWAY,
+                    leeway=settings.TIME_LEEWAY,
                 )
             except jwt.DecodeError:
                 logger.info("Invalid JWT encountered")
@@ -146,13 +147,32 @@ class JWTAuth:
                     self.encoded,
                     key,
                     algorithms=["HS256"],
-                    leeway=settings.JWT_LEEWAY,
+                    leeway=settings.TIME_LEEWAY,
+                    options={
+                        "require": ["iat"],
+                        "verify_iat": False,
+                    },  # iat is validated in _check_jwt_expiry
                 )
             except jwt.InvalidSignatureError:
                 logger.exception("Invalid signature - possible payload tampering?")
                 raise PermissionDenied(
                     "Client credentials zijn niet geldig", code="invalid-jwt-signature"
                 )
+            except jwt.MissingRequiredClaimError as exc:
+                msg = "Missing required {} claim".format(exc.claim)
+                logger.exception(msg)
+                raise PermissionDenied(
+                    _(msg),
+                    code="jwt-missing-{}-claim".format(exc.claim),
+                )
+            except jwt.PyJWTError as exc:
+                logger.exception("Invalid JWT encountered")
+                raise PermissionDenied(
+                    _("JWT did not validate"),
+                    code="jwt-{}".format(type(exc).__name__.lower()),
+                )
+            self._check_jwt_expiry(payload)
             self._payload = payload
@@ -164,6 +184,37 @@ class JWTAuth:
             return None
         return self.payload["client_id"]
+    def _check_jwt_expiry(self, payload: Dict[str, Any]) -> None:
+        """
+        Verify that the token was issued recently enough.
+        The Django settings define how long a JWT is considered to be valid. Adding
+        that duration to the issued-at claim determines the upper limit for token
+        validity.
+        """
+        iat = payload.get("iat")
+        try:
+            iat = int(iat)
+        except ValueError:
+            raise PermissionDenied(_("The iat claim must be an integer."))
+        current_timestamp = time.time()
+        difference = current_timestamp - iat
+        if difference < -settings.TIME_LEEWAY:
+            logger.warning(
+                "The JWT used for this request is not valid yet, the `iat` claim is "
+                "newer than the current time stamp. You may want to check the clock drift "
+                "on the Open Zaak server and/or tweak the `TIME_LEEWAY` setting.",
+                extra={"payload": payload},
+            )
+        if difference >= (settings.JWT_EXPIRY + settings.TIME_LEEWAY):
+            raise PermissionDenied(
+                _("The JWT used for this request is expired"), code="jwt-expired"
+            )
     def filter_vertrouwelijkheidaanduiding(self, base: QuerySet, value) -> QuerySet:
         if value is None:
             return base

{commonground_api_common-2.6.5 → commonground_api_common-2.6.7}/vng_api_common/conf/api.py RENAMED Viewed

@@ -8,7 +8,8 @@ __all__ = [
     "GEMMA_URL_INFORMATIEMODEL_VERSIE",
     "GEMMA_URL_INFORMATIEMODEL",
     "GEMMA_URL_TEMPLATE",
-    "JWT_LEEWAY",
+    "TIME_LEEWAY",
+    "JWT_EXPIRY",
     "JWT_SPECTACULAR_SETTINGS",
     "LINK_FETCHER",
     "NOTIFICATIONS_DISABLED",
@@ -95,6 +96,8 @@ vng_repo = "VNG-Realisatie/vng-api-common"
 vng_branch = "ref-responses"
 COMMON_SPEC = f"https://raw.githubusercontent.com/{vng_repo}/feature/{vng_branch}/vng_api_common/schemas/common.yaml"
-JWT_LEEWAY = 0  # default in PyJWT
+TIME_LEEWAY = 0  # default in PyJWT
+JWT_EXPIRY = 3600
 COMMONGROUND_API_COMMON_GET_DOMAIN = "vng_api_common.utils.get_site_domain"

{commonground_api_common-2.6.5 → commonground_api_common-2.6.7}/vng_api_common/tests/auth.py RENAMED Viewed

@@ -26,6 +26,8 @@ class AuthCheckMixin:
         request_kwargs = request_kwargs or {}
         with self.subTest(case="JWT missing"):
+            self.client.credentials()  # explicity clear credentials
             response = do_request(url, **request_kwargs)
             self.assertEqual(

{commonground_api_common-2.6.5 → commonground_api_common-2.6.7}/vng_api_common/validators.py RENAMED Viewed

@@ -1,6 +1,7 @@
 import json
 import logging
 import re
+from datetime import timedelta
 from typing import Callable
 from django.conf import settings
@@ -277,6 +278,8 @@ class UntilNowValidator:
     Validate a datetime to not be in the future.
     This means that `now` is included.
+    Some leeway can be added with the TIME_LEEWAY setting.
     """
     message = _("Ensure this value is not in the future.")
@@ -284,7 +287,7 @@ class UntilNowValidator:
     @property
     def limit_value(self):
-        return timezone.now()
+        return timezone.now() + timedelta(seconds=settings.TIME_LEEWAY)
     def __call__(self, value):
         if value > self.limit_value:

commonground_api_common-2.6.5/tests/test_jwt_decoding.py DELETED Viewed

@@ -1,56 +0,0 @@
-from datetime import datetime
-import jwt
-import pytest
-from freezegun import freeze_time
-from jwt import ImmatureSignatureError
-from vng_api_common.authorizations.middleware import JWTAuth
-from vng_api_common.models import JWTSecret
-@pytest.mark.django_db
-def test_jwt_decode_ok():
-    secret = "secret"
-    JWTSecret.objects.create(identifier="client", secret=secret)
-    token = jwt.encode({"client_id": "client"}, secret, algorithm="HS256")
-    auth = JWTAuth(token)
-    payload = auth.payload
-    assert auth.client_id == "client"
-    assert payload == {"client_id": "client"}
-@pytest.mark.django_db
-@freeze_time("2021-08-23T14:20:00")
-def test_nbf_validated():
-    JWTSecret.objects.create(identifier="client", secret="secret")
-    payload = {
-        "client_id": "client",
-        "nbf": int(datetime.now().timestamp())
-        + 1,  # 1 second "later" than current time
-    }
-    token = jwt.encode(payload, "secret", algorithm="HS256")
-    auth = JWTAuth(token)
-    with pytest.raises(ImmatureSignatureError):
-        auth.payload
-@pytest.mark.django_db
-@freeze_time("2021-08-23T14:20:00")
-def test_nbf_validated_with_leeway(settings):
-    settings.JWT_LEEWAY = 3
-    JWTSecret.objects.create(identifier="client", secret="secret")
-    payload = {
-        "client_id": "client",
-        "nbf": int(datetime.now().timestamp())
-        + 1,  # 1 second "later" than current time
-    }
-    token = jwt.encode(payload, "secret", algorithm="HS256")
-    auth = JWTAuth(token)
-    assert auth.payload == payload