PyPI - commonground-api-common - Versions diffs - 2.6.6__tar.gz → 2.6.7__tar.gz - Mend

commonground-api-common 2.6.6tar.gz → 2.6.7tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (229) hide show

{commonground_api_common-2.6.6 → commonground_api_common-2.6.7}/CHANGELOG.rst RENAMED Viewed

@@ -2,6 +2,18 @@
 Change history
 ==============
+2.6.7 (2025-06-30)
+------------------
+**Bugfixes**
+* [#103] Fix 500 error that occurred with ``iat`` in future, log a warning
+* Add JWT expiry validation based on ``iat``
+**Maintenance**
+* Upgrade PyJWT to 2.10.1
 2.6.6 (2025-06-04)
 ------------------

{commonground_api_common-2.6.6/commonground_api_common.egg-info → commonground_api_common-2.6.7}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: commonground-api-common
-Version: 2.6.6
+Version: 2.6.7
 Summary: Commonground API tooling
 Home-page: https://github.com/maykinmedia/commonground-api-common
 Author: Maykin Media, VNG-Realisatie
@@ -32,7 +32,7 @@ Requires-Dist: iso639-lang
 Requires-Dist: notifications-api-common>=0.3.1
 Requires-Dist: zgw-consumers>=0.35.1
 Requires-Dist: oyaml
-Requires-Dist: PyJWT>=2.1.1
+Requires-Dist: PyJWT>=2.10.1
 Requires-Dist: requests
 Requires-Dist: coreapi
 Requires-Dist: ape-pie
@@ -45,10 +45,10 @@ Provides-Extra: drf-extra-fields
 Requires-Dist: drf-extra-fields>=3.7.0; extra == "drf-extra-fields"
 Provides-Extra: tests
 Requires-Dist: psycopg2; extra == "tests"
-Requires-Dist: pytest==8.3.5; extra == "tests"
+Requires-Dist: pytest; extra == "tests"
 Requires-Dist: pytest-django; extra == "tests"
 Requires-Dist: pytest-dotenv; extra == "tests"
-Requires-Dist: pytest-factoryboy; extra == "tests"
+Requires-Dist: pytest-factoryboy>=2.8.0; extra == "tests"
 Requires-Dist: tox; extra == "tests"
 Requires-Dist: ruff; extra == "tests"
 Requires-Dist: requests-mock; extra == "tests"
@@ -76,7 +76,7 @@ Commonground-API-common - Tooling voor RESTful APIs
 ===================================================
-:Version: 2.6.6
+:Version: 2.6.7
 :Source: https://github.com/maykinmedia/commonground-api-common
 :PythonVersion: 3.12

{commonground_api_common-2.6.6 → commonground_api_common-2.6.7}/README.rst RENAMED Viewed

@@ -3,7 +3,7 @@ Commonground-API-common - Tooling voor RESTful APIs
 ===================================================
-:Version: 2.6.6
+:Version: 2.6.7
 :Source: https://github.com/maykinmedia/commonground-api-common
 :PythonVersion: 3.12

{commonground_api_common-2.6.6 → commonground_api_common-2.6.7/commonground_api_common.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: commonground-api-common
-Version: 2.6.6
+Version: 2.6.7
 Summary: Commonground API tooling
 Home-page: https://github.com/maykinmedia/commonground-api-common
 Author: Maykin Media, VNG-Realisatie
@@ -32,7 +32,7 @@ Requires-Dist: iso639-lang
 Requires-Dist: notifications-api-common>=0.3.1
 Requires-Dist: zgw-consumers>=0.35.1
 Requires-Dist: oyaml
-Requires-Dist: PyJWT>=2.1.1
+Requires-Dist: PyJWT>=2.10.1
 Requires-Dist: requests
 Requires-Dist: coreapi
 Requires-Dist: ape-pie
@@ -45,10 +45,10 @@ Provides-Extra: drf-extra-fields
 Requires-Dist: drf-extra-fields>=3.7.0; extra == "drf-extra-fields"
 Provides-Extra: tests
 Requires-Dist: psycopg2; extra == "tests"
-Requires-Dist: pytest==8.3.5; extra == "tests"
+Requires-Dist: pytest; extra == "tests"
 Requires-Dist: pytest-django; extra == "tests"
 Requires-Dist: pytest-dotenv; extra == "tests"
-Requires-Dist: pytest-factoryboy; extra == "tests"
+Requires-Dist: pytest-factoryboy>=2.8.0; extra == "tests"
 Requires-Dist: tox; extra == "tests"
 Requires-Dist: ruff; extra == "tests"
 Requires-Dist: requests-mock; extra == "tests"
@@ -76,7 +76,7 @@ Commonground-API-common - Tooling voor RESTful APIs
 ===================================================
-:Version: 2.6.6
+:Version: 2.6.7
 :Source: https://github.com/maykinmedia/commonground-api-common
 :PythonVersion: 3.12

{commonground_api_common-2.6.6 → commonground_api_common-2.6.7}/commonground_api_common.egg-info/requires.txt RENAMED Viewed

@@ -10,7 +10,7 @@ iso639-lang
 notifications-api-common>=0.3.1
 zgw-consumers>=0.35.1
 oyaml
-PyJWT>=2.1.1
+PyJWT>=2.10.1
 requests
 coreapi
 ape-pie
@@ -44,10 +44,10 @@ django-setup-configuration>=0.7.0
 [tests]
 psycopg2
-pytest==8.3.5
+pytest
 pytest-django
 pytest-dotenv
-pytest-factoryboy
+pytest-factoryboy>=2.8.0
 tox
 ruff
 requests-mock

{commonground_api_common-2.6.6 → commonground_api_common-2.6.7}/setup.cfg RENAMED Viewed

@@ -1,6 +1,6 @@
 [metadata]
 name = commonground-api-common
-version = 2.6.6
+version = 2.6.7
 description = Commonground API tooling
 long_description = file: README.rst
 url = https://github.com/maykinmedia/commonground-api-common
@@ -42,7 +42,7 @@ install_requires =
 	notifications-api-common>=0.3.1
 	zgw-consumers>=0.35.1
 	oyaml
-	PyJWT>=2.1.1
+	PyJWT>=2.10.1
 	requests
 	coreapi
 	ape-pie
@@ -71,10 +71,10 @@ drf_extra_fields =
 	drf-extra-fields>=3.7.0
 tests =
 	psycopg2
-	pytest==8.3.5 # can be unpinned when pytest-factoryboy is updated
+	pytest
 	pytest-django
 	pytest-dotenv
-	pytest-factoryboy
+	pytest-factoryboy>=2.8.0
 	tox
 	ruff
 	requests-mock

commonground_api_common-2.6.7/tests/test_jwt_decoding.py ADDED Viewed

@@ -0,0 +1,231 @@
+from datetime import datetime
+import jwt
+import pytest
+from freezegun import freeze_time
+from rest_framework.exceptions import PermissionDenied
+from vng_api_common.authorizations.middleware import JWTAuth
+from vng_api_common.models import JWTSecret
+@pytest.mark.django_db
+def test_jwt_decode_ok():
+    secret = "secret"
+    JWTSecret.objects.create(identifier="client", secret=secret)
+    timestamp = int(datetime.now().timestamp())
+    token = jwt.encode(
+        {"client_id": "client", "iat": timestamp}, secret, algorithm="HS256"
+    )
+    auth = JWTAuth(token)
+    payload = auth.payload
+    assert auth.client_id == "client"
+    assert payload == {"client_id": "client", "iat": timestamp}
+@pytest.mark.django_db
+def test_jwt_decode_missing_iat():
+    secret = "secret"
+    JWTSecret.objects.create(identifier="client", secret=secret)
+    token = jwt.encode({"client_id": "client"}, secret, algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload
+@pytest.mark.django_db
+def test_jwt_decode_str_iat():
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    payload = {
+        "client_id": "client",
+        "iat": "timestamp",
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_nbf_validated():
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp,
+        "nbf": timestamp + 1,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_nbf_validated_with_leeway(settings):
+    settings.TIME_LEEWAY = 3
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp,
+        "nbf": timestamp + 1,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_nbf_validated_with_leeway_not_enough(settings):
+    settings.TIME_LEEWAY = 3
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp,
+        "nbf": timestamp + 10,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_iat_validated():
+    """jwt iat in future only logs a warning"""
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp + 1,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_iat_validated_with_leeway(settings):
+    settings.TIME_LEEWAY = 3
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp + 1,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_iat_validated_with_leeway_not_enough(settings):
+    """jwt iat in future only logs a warning"""
+    settings.TIME_LEEWAY = 3
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {
+        "client_id": "client",
+        "iat": timestamp + 10,  # 1 second "later" than current time
+    }
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_exp_ok():
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {"client_id": "client", "iat": timestamp}
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_exp_within_exp_setting():
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {"client_id": "client", "iat": timestamp - 1000}
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_exp_validated(settings):
+    settings.JWT_EXPIRY = 3600
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {"client_id": "client", "iat": timestamp - 3601}
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_exp_validated_with_leeway(settings):
+    settings.JWT_EXPIRY = 3600
+    settings.TIME_LEEWAY = 5
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {"client_id": "client", "iat": timestamp - 3603}
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    assert auth.payload == payload
+@pytest.mark.django_db
+@freeze_time("2021-08-23T14:20:00")
+def test_exp_validated_with_leeway_not_enough(settings):
+    settings.JWT_EXPIRY = 3600
+    settings.TIME_LEEWAY = 5
+    JWTSecret.objects.create(identifier="client", secret="secret")
+    timestamp = int(datetime.now().timestamp())
+    payload = {"client_id": "client", "iat": timestamp - 3610}
+    token = jwt.encode(payload, "secret", algorithm="HS256")
+    auth = JWTAuth(token)
+    with pytest.raises(PermissionDenied):
+        auth.payload

commonground_api_common-2.6.7/vng_api_common/__init__.py ADDED Viewed

	@@ -0,0 +1 @@
1	+ __version__ = "2.6.7"

{commonground_api_common-2.6.6 → commonground_api_common-2.6.7}/vng_api_common/authorizations/middleware.py RENAMED Viewed

@@ -1,4 +1,5 @@
 import logging
+import time
 from typing import Any, Dict, Iterable, List, Optional
 from django.conf import settings
@@ -147,12 +148,31 @@ class JWTAuth:
                     key,
                     algorithms=["HS256"],
                     leeway=settings.TIME_LEEWAY,
+                    options={
+                        "require": ["iat"],
+                        "verify_iat": False,
+                    },  # iat is validated in _check_jwt_expiry
                 )
             except jwt.InvalidSignatureError:
                 logger.exception("Invalid signature - possible payload tampering?")
                 raise PermissionDenied(
                     "Client credentials zijn niet geldig", code="invalid-jwt-signature"
                 )
+            except jwt.MissingRequiredClaimError as exc:
+                msg = "Missing required {} claim".format(exc.claim)
+                logger.exception(msg)
+                raise PermissionDenied(
+                    _(msg),
+                    code="jwt-missing-{}-claim".format(exc.claim),
+                )
+            except jwt.PyJWTError as exc:
+                logger.exception("Invalid JWT encountered")
+                raise PermissionDenied(
+                    _("JWT did not validate"),
+                    code="jwt-{}".format(type(exc).__name__.lower()),
+                )
+            self._check_jwt_expiry(payload)
             self._payload = payload
@@ -164,6 +184,37 @@ class JWTAuth:
             return None
         return self.payload["client_id"]
+    def _check_jwt_expiry(self, payload: Dict[str, Any]) -> None:
+        """
+        Verify that the token was issued recently enough.
+        The Django settings define how long a JWT is considered to be valid. Adding
+        that duration to the issued-at claim determines the upper limit for token
+        validity.
+        """
+        iat = payload.get("iat")
+        try:
+            iat = int(iat)
+        except ValueError:
+            raise PermissionDenied(_("The iat claim must be an integer."))
+        current_timestamp = time.time()
+        difference = current_timestamp - iat
+        if difference < -settings.TIME_LEEWAY:
+            logger.warning(
+                "The JWT used for this request is not valid yet, the `iat` claim is "
+                "newer than the current time stamp. You may want to check the clock drift "
+                "on the Open Zaak server and/or tweak the `TIME_LEEWAY` setting.",
+                extra={"payload": payload},
+            )
+        if difference >= (settings.JWT_EXPIRY + settings.TIME_LEEWAY):
+            raise PermissionDenied(
+                _("The JWT used for this request is expired"), code="jwt-expired"
+            )
     def filter_vertrouwelijkheidaanduiding(self, base: QuerySet, value) -> QuerySet:
         if value is None:
             return base

{commonground_api_common-2.6.6 → commonground_api_common-2.6.7}/vng_api_common/conf/api.py RENAMED Viewed

@@ -9,6 +9,7 @@ __all__ = [
     "GEMMA_URL_INFORMATIEMODEL",
     "GEMMA_URL_TEMPLATE",
     "TIME_LEEWAY",
+    "JWT_EXPIRY",
     "JWT_SPECTACULAR_SETTINGS",
     "LINK_FETCHER",
     "NOTIFICATIONS_DISABLED",
@@ -97,4 +98,6 @@ COMMON_SPEC = f"https://raw.githubusercontent.com/{vng_repo}/feature/{vng_branch
 TIME_LEEWAY = 0  # default in PyJWT
+JWT_EXPIRY = 3600
 COMMONGROUND_API_COMMON_GET_DOMAIN = "vng_api_common.utils.get_site_domain"

{commonground_api_common-2.6.6 → commonground_api_common-2.6.7}/vng_api_common/tests/auth.py RENAMED Viewed

@@ -26,6 +26,8 @@ class AuthCheckMixin:
         request_kwargs = request_kwargs or {}
         with self.subTest(case="JWT missing"):
+            self.client.credentials()  # explicity clear credentials
             response = do_request(url, **request_kwargs)
             self.assertEqual(

commonground_api_common-2.6.6/tests/test_jwt_decoding.py DELETED Viewed

@@ -1,56 +0,0 @@
-from datetime import datetime
-import jwt
-import pytest
-from freezegun import freeze_time
-from jwt import ImmatureSignatureError
-from vng_api_common.authorizations.middleware import JWTAuth
-from vng_api_common.models import JWTSecret
-@pytest.mark.django_db
-def test_jwt_decode_ok():
-    secret = "secret"
-    JWTSecret.objects.create(identifier="client", secret=secret)
-    token = jwt.encode({"client_id": "client"}, secret, algorithm="HS256")
-    auth = JWTAuth(token)
-    payload = auth.payload
-    assert auth.client_id == "client"
-    assert payload == {"client_id": "client"}
-@pytest.mark.django_db
-@freeze_time("2021-08-23T14:20:00")
-def test_nbf_validated():
-    JWTSecret.objects.create(identifier="client", secret="secret")
-    payload = {
-        "client_id": "client",
-        "nbf": int(datetime.now().timestamp())
-        + 1,  # 1 second "later" than current time
-    }
-    token = jwt.encode(payload, "secret", algorithm="HS256")
-    auth = JWTAuth(token)
-    with pytest.raises(ImmatureSignatureError):
-        auth.payload
-@pytest.mark.django_db
-@freeze_time("2021-08-23T14:20:00")
-def test_nbf_validated_with_leeway(settings):
-    settings.TIME_LEEWAY = 3
-    JWTSecret.objects.create(identifier="client", secret="secret")
-    payload = {
-        "client_id": "client",
-        "nbf": int(datetime.now().timestamp())
-        + 1,  # 1 second "later" than current time
-    }
-    token = jwt.encode(payload, "secret", algorithm="HS256")
-    auth = JWTAuth(token)
-    assert auth.payload == payload