commonground-api-common 2.6.6__py3-none-any.whl → 2.6.7__py3-none-any.whl

{commonground_api_common-2.6.6.dist-info → commonground_api_common-2.6.7.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: commonground-api-common
-Version: 2.6.6
+Version: 2.6.7
 Summary: Commonground API tooling
 Home-page: https://github.com/maykinmedia/commonground-api-common
 Author: Maykin Media, VNG-Realisatie
@@ -32,7 +32,7 @@ Requires-Dist: iso639-lang
 Requires-Dist: notifications-api-common>=0.3.1
 Requires-Dist: zgw-consumers>=0.35.1
 Requires-Dist: oyaml
-Requires-Dist: PyJWT>=2.1.1
+Requires-Dist: PyJWT>=2.10.1
 Requires-Dist: requests
 Requires-Dist: coreapi
 Requires-Dist: ape-pie
@@ -45,10 +45,10 @@ Provides-Extra: drf-extra-fields
 Requires-Dist: drf-extra-fields>=3.7.0; extra == "drf-extra-fields"
 Provides-Extra: tests
 Requires-Dist: psycopg2; extra == "tests"
-Requires-Dist: pytest==8.3.5; extra == "tests"
+Requires-Dist: pytest; extra == "tests"
 Requires-Dist: pytest-django; extra == "tests"
 Requires-Dist: pytest-dotenv; extra == "tests"
-Requires-Dist: pytest-factoryboy; extra == "tests"
+Requires-Dist: pytest-factoryboy>=2.8.0; extra == "tests"
 Requires-Dist: tox; extra == "tests"
 Requires-Dist: ruff; extra == "tests"
 Requires-Dist: requests-mock; extra == "tests"
@@ -76,7 +76,7 @@ Commonground-API-common - Tooling voor RESTful APIs
 ===================================================
 
 
-:Version: 2.6.6
+:Version: 2.6.7
 :Source: https://github.com/maykinmedia/commonground-api-common
 :PythonVersion: 3.12
 

{commonground_api_common-2.6.6.dist-info → commonground_api_common-2.6.7.dist-info}/RECORD

@@ -1,5 +1,5 @@
-commonground_api_common-2.6.6.data/scripts/generate_schema,sha256=OpKgzlFc_uzA3TVW_vHSYXAD_feLaCdTEnkWjIcxVzA,280
-vng_api_common/__init__.py,sha256=MJHGx-Qo0nycI7WHSavnK8Mok6HS_De_qLfGWXih6Og,22
+commonground_api_common-2.6.7.data/scripts/generate_schema,sha256=OpKgzlFc_uzA3TVW_vHSYXAD_feLaCdTEnkWjIcxVzA,280
+vng_api_common/__init__.py,sha256=Kc2cyTvfIdfaMxraNhj61Hw9Mr3C-eTCdQPLK5KH1AQ,22
 vng_api_common/admin.py,sha256=WiD6afzO9sJh_Nz7TKsxCiGm49vS0qQH1PxyXnGpEt8,204
 vng_api_common/apps.py,sha256=QQiJXRmjX9Q91oh0P9fvVnHe3NSYd1cEcUUBw0HLBCA,3690
 vng_api_common/checks.py,sha256=tOyfV7MMLGh4anrd_W30LvJCxiyQ4sFs1mGd9mtrEc0,1175
@@ -76,7 +76,7 @@ vng_api_common/audittrails/migrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCe
 vng_api_common/audittrails/migrations/_operations.py,sha256=UOMv0zAK8CIQ73cSu6wwQG_hkW46Isdy7JCnljn8GII,3280
 vng_api_common/authorizations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vng_api_common/authorizations/admin.py,sha256=Tk0yYKbb005E0XZaYYWbucMf_K5M8Hhz62wSBDi8rhM,813
-vng_api_common/authorizations/middleware.py,sha256=cR7reyRIZmCtH2qONopva8PZKCkwBl3DU-VWJqnL-Z0,8418
+vng_api_common/authorizations/middleware.py,sha256=hbjGeg2UZ20QPSgZ8yMonDOS2dfrvFKPaxTcpoyH7gs,10446
 vng_api_common/authorizations/models.py,sha256=-PwbFceloUz6pbfFp2DB3YfioC2xq63YDm-EVc3U3HE,5160
 vng_api_common/authorizations/serializers.py,sha256=3HeKWEqhI3UWwI8SttC4rEID-Epbk7SWsC-bEjolbaw,5151
 vng_api_common/authorizations/utils.py,sha256=GSeHVXia-GHGCN_E4u671r4pGssvcyp9osKFf8Fc8v4,590
@@ -107,7 +107,7 @@ vng_api_common/caching/models.py,sha256=RroS9HFiKNXDV59Odh0x8BO8Az8E81v4gwuprF1A
 vng_api_common/caching/registry.py,sha256=oXE4kMnVpdp7qvb_goVkCTY5qeY8kB3EDKVX65fPtYc,6207
 vng_api_common/caching/signals.py,sha256=78ej5cVan-JpNHKzZNAfs0m2ON_TXKphe8ZKtP-6FVY,4615
 vng_api_common/conf/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-vng_api_common/conf/api.py,sha256=F1Aj8jOdN-T0ZYqUtuu-jUjST5XcyYcRFqZc057M0Bc,3160
+vng_api_common/conf/api.py,sha256=FTiT_HYL2pzRF9o5aAsPErwo8wsphxOFM2RNVBxBFi8,3197
 vng_api_common/contrib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vng_api_common/contrib/setup_configuration/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vng_api_common/contrib/setup_configuration/models.py,sha256=1-G0hXeRe-x6GYtsAaQeMGXq0-cwU5LMb8KTQWj-pQk,1201
@@ -180,11 +180,11 @@ vng_api_common/templates/vng_api_common/ref/scopes.html,sha256=M3lTbnTOFr1OqDxkK
 vng_api_common/templatetags/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vng_api_common/templatetags/vng_api_common.py,sha256=j4Fu4rNErLcXStBbuZ9Zd_xD_ft0HA6kfpPz6wLXnOw,1251
 vng_api_common/tests/__init__.py,sha256=zBI2etwu2lEkKkIN1_cPuugJgPcoohQuJbdiUGtoceU,426
-vng_api_common/tests/auth.py,sha256=IKDWTEFv4Bign4F70-ibsFcnJqRxEJaXvqaPQJWa1xY,4544
+vng_api_common/tests/auth.py,sha256=fOTe8J69pk7axDPfY73vw4NcrIcTOGBvl0HEYD5Zc4Y,4614
 vng_api_common/tests/caching.py,sha256=zfIw5cRRvO9cekHZZKfRqZc8cx5IfJUYNmcH6cuIMg4,624
 vng_api_common/tests/schema.py,sha256=WDvifDQQiKqIpQijpeQ7rYkFroJmuPuHe7zNhl1Bigk,2293
 vng_api_common/tests/urls.py,sha256=PFrYzQbBC0TFPMEn3uPhcBG0IQs9JsEPqckicJT1UA4,2159
-commonground_api_common-2.6.6.dist-info/METADATA,sha256=cWsFJ1YO-TZLhYWVXu6r7Dp-9Qbt9RXbb8lfB97JAvM,7195
-commonground_api_common-2.6.6.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-commonground_api_common-2.6.6.dist-info/top_level.txt,sha256=vPismc83zPzWXTmlNCCwfDlFV9iygJYxNJW5iDjKTgw,15
-commonground_api_common-2.6.6.dist-info/RECORD,,
+commonground_api_common-2.6.7.dist-info/METADATA,sha256=HKmZYlZc5kA0yCwWIOz-zg7RyM141g1lNaJQFiY_qtI,7196
+commonground_api_common-2.6.7.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+commonground_api_common-2.6.7.dist-info/top_level.txt,sha256=vPismc83zPzWXTmlNCCwfDlFV9iygJYxNJW5iDjKTgw,15
+commonground_api_common-2.6.7.dist-info/RECORD,,

vng_api_common/__init__.py

@@ -1 +1 @@
-__version__ = "2.6.6"
+__version__ = "2.6.7"

vng_api_common/authorizations/middleware.py

@@ -1,4 +1,5 @@
 import logging
+import time
 from typing import Any, Dict, Iterable, List, Optional
 
 from django.conf import settings
@@ -147,12 +148,31 @@ class JWTAuth:
                     key,
                     algorithms=["HS256"],
                     leeway=settings.TIME_LEEWAY,
+                    options={
+                        "require": ["iat"],
+                        "verify_iat": False,
+                    },  # iat is validated in _check_jwt_expiry
                 )
             except jwt.InvalidSignatureError:
                 logger.exception("Invalid signature - possible payload tampering?")
                 raise PermissionDenied(
                     "Client credentials zijn niet geldig", code="invalid-jwt-signature"
                 )
+            except jwt.MissingRequiredClaimError as exc:
+                msg = "Missing required {} claim".format(exc.claim)
+                logger.exception(msg)
+                raise PermissionDenied(
+                    _(msg),
+                    code="jwt-missing-{}-claim".format(exc.claim),
+                )
+            except jwt.PyJWTError as exc:
+                logger.exception("Invalid JWT encountered")
+                raise PermissionDenied(
+                    _("JWT did not validate"),
+                    code="jwt-{}".format(type(exc).__name__.lower()),
+                )
+
+            self._check_jwt_expiry(payload)
 
             self._payload = payload
 
@@ -164,6 +184,37 @@ class JWTAuth:
             return None
         return self.payload["client_id"]
 
+    def _check_jwt_expiry(self, payload: Dict[str, Any]) -> None:
+        """
+        Verify that the token was issued recently enough.
+
+        The Django settings define how long a JWT is considered to be valid. Adding
+        that duration to the issued-at claim determines the upper limit for token
+        validity.
+        """
+        iat = payload.get("iat")
+
+        try:
+            iat = int(iat)
+        except ValueError:
+            raise PermissionDenied(_("The iat claim must be an integer."))
+
+        current_timestamp = time.time()
+        difference = current_timestamp - iat
+
+        if difference < -settings.TIME_LEEWAY:
+            logger.warning(
+                "The JWT used for this request is not valid yet, the `iat` claim is "
+                "newer than the current time stamp. You may want to check the clock drift "
+                "on the Open Zaak server and/or tweak the `TIME_LEEWAY` setting.",
+                extra={"payload": payload},
+            )
+
+        if difference >= (settings.JWT_EXPIRY + settings.TIME_LEEWAY):
+            raise PermissionDenied(
+                _("The JWT used for this request is expired"), code="jwt-expired"
+            )
+
     def filter_vertrouwelijkheidaanduiding(self, base: QuerySet, value) -> QuerySet:
         if value is None:
             return base

vng_api_common/conf/api.py

@@ -9,6 +9,7 @@ __all__ = [
     "GEMMA_URL_INFORMATIEMODEL",
     "GEMMA_URL_TEMPLATE",
     "TIME_LEEWAY",
+    "JWT_EXPIRY",
     "JWT_SPECTACULAR_SETTINGS",
     "LINK_FETCHER",
     "NOTIFICATIONS_DISABLED",
@@ -97,4 +98,6 @@ COMMON_SPEC = f"https://raw.githubusercontent.com/{vng_repo}/feature/{vng_branch
 
 TIME_LEEWAY = 0  # default in PyJWT
 
+JWT_EXPIRY = 3600
+
 COMMONGROUND_API_COMMON_GET_DOMAIN = "vng_api_common.utils.get_site_domain"

vng_api_common/tests/auth.py

@@ -26,6 +26,8 @@ class AuthCheckMixin:
         request_kwargs = request_kwargs or {}
 
         with self.subTest(case="JWT missing"):
+            self.client.credentials()  # explicity clear credentials
+
             response = do_request(url, **request_kwargs)
 
             self.assertEqual(