pypomes-jwt 0.7.1__py3-none-any.whl → 0.7.3__py3-none-any.whl

pypomes_jwt/__init__.py

@@ -1,25 +1,27 @@
 from .jwt_constants import (
     JWT_DB_ENGINE, JWT_DB_HOST, JWT_DB_NAME,
     JWT_DB_PORT, JWT_DB_USER, JWT_DB_PWD,
+    JWT_DB_TABLE, JWT_DB_COL_ACCOUNT, JWT_DB_COL_TOKEN,
     JWT_ACCESS_MAX_AGE, JWT_REFRESH_MAX_AGE,
     JWT_ENCODING_KEY, JWT_DECODING_KEY
 )
 from .jwt_pomes import (
-    jwt_needed, jwt_verify_request, jwt_claims, jwt_tokens,
+    jwt_needed, jwt_verify_request,
     jwt_get_tokens, jwt_get_claims, jwt_validate_token,
-    jwt_assert_access, jwt_set_access, jwt_remove_access
+    jwt_assert_access, jwt_set_access, jwt_remove_access, jwt_revoke_tokens
 )
 
 __all__ = [
     # jwt_constants
     "JWT_DB_ENGINE", "JWT_DB_HOST", "JWT_DB_NAME",
     "JWT_DB_PORT", "JWT_DB_USER", "JWT_DB_PWD",
+    "JWT_DB_TABLE", "JWT_DB_COL_ACCOUNT", "JWT_DB_COL_TOKEN",
     "JWT_ACCESS_MAX_AGE", "JWT_REFRESH_MAX_AGE",
     "JWT_ENCODING_KEY", "JWT_DECODING_KEY",
     # jwt_pomes
-    "jwt_needed", "jwt_verify_request", "jwt_claims", "jwt_tokens",
+    "jwt_needed", "jwt_verify_request",
     "jwt_get_tokens", "jwt_get_claims", "jwt_validate_token",
-    "jwt_assert_access", "jwt_set_access", "jwt_remove_access"
+    "jwt_assert_access", "jwt_set_access", "jwt_remove_access", "jwt_revoke_tokens"
 ]
 
 from importlib.metadata import version

pypomes_jwt/jwt_constants.py

@@ -9,16 +9,43 @@ from secrets import token_bytes
 from typing import Final
 
 # database specs for token persistence
-JWT_DB_ENGINE: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_ENGINE")
 JWT_DB_HOST: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_HOST")
 JWT_DB_NAME: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_NAME")
 JWT_DB_PORT: Final[int] = env_get_int(key=f"{APP_PREFIX}_JWT_DB_PORT")
 JWT_DB_USER: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_USER")
 JWT_DB_PWD: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_PWD")
-
-JWT_ROTATE_TOKENS: Final[bool] = False \
-    if JWT_DB_ENGINE is None else env_get_bool(key=f"{APP_PREFIX}_JWT_ROTATE_TOKENS",
-                                               def_value=False)
+JWT_DB_CLIENT: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_CLIENT")  # for Oracle, only
+JWT_DB_DRIVER: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_DRIVER")  # for SQLServer, only
+JWT_DB_TABLE: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_TABLE",
+                                       def_value="jwt_token")
+JWT_DB_COL_ACCOUNT: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_COL_ACCOUNT",
+                                             def_value="account_id")
+JWT_DB_COL_TOKEN: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_COL_TOKEN",
+                                           def_value="token")
+# define the database engine
+__db_engine: str | None = env_get_str(key=f"{APP_PREFIX}_JWT_DB_ENGINE")
+if __db_engine:
+    from pypomes_db import DbEngine, db_setup, db_assert_access, db_delete
+    from sys import stderr
+    if db_setup(engine=DbEngine(__db_engine),
+                db_name=JWT_DB_NAME,
+                db_user=JWT_DB_USER,
+                db_pwd=JWT_DB_PWD,
+                db_host=JWT_DB_HOST,
+                db_port=JWT_DB_PORT,
+                db_client=JWT_DB_CLIENT,
+                db_driver=JWT_DB_DRIVER):
+        __errors: list[str] = []
+        if not db_assert_access(errors=__errors) or \
+            db_delete(errors=__errors,
+                      delete_stmt=f"DELETE FROM {JWT_DB_TABLE}") is None:
+            stderr.write(f"{'; '.join(__errors)}\n")
+            __db_engine = None
+    else:
+        stderr.write("Invalid database parameters\n")
+        __db_engine = None
+# if set to 'None', no further attempt will be made to access the database
+JWT_DB_ENGINE: Final[DbEngine] = DbEngine(__db_engine) if __db_engine else None
 
 # one of HS256, HS512, RSA256, RSA512
 JWT_DEFAULT_ALGORITHM: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DEFAULT_ALGORITHM",
@@ -29,6 +56,8 @@ JWT_ACCESS_MAX_AGE: Final[int] = env_get_int(key=f"{APP_PREFIX}_JWT_ACCESS_MAX_A
 # recommended: at least 2 hours (set to 24 hours)
 JWT_REFRESH_MAX_AGE: Final[int] = env_get_int(key=f"{APP_PREFIX}_JWT_REFRESH_MAX_AGE",
                                               def_value=86400)
+JWT_ROTATE_TOKENS: Final[bool] = env_get_bool(key=f"{APP_PREFIX}_JWT_ROTATE_TOKENS",
+                                              def_value=True)
 
 # recommended: allow the encode and decode keys to be generated anew when app starts
 __encoding_key: bytes = env_get_bytes(key=f"{APP_PREFIX}_JWT_ENCODE_KEY")

pypomes_jwt/jwt_data.py

@@ -9,7 +9,8 @@ from threading import Lock
 from typing import Any
 
 from .jwt_constants import (
-    JWT_DEFAULT_ALGORITHM, JWT_ENCODING_KEY
+    JWT_DEFAULT_ALGORITHM, JWT_ENCODING_KEY, JWT_ROTATE_TOKENS,
+    JWT_DB_ENGINE, JWT_DB_TABLE, JWT_DB_COL_ACCOUNT, JWT_DB_COL_TOKEN
 )
 
 
@@ -19,7 +20,7 @@ class JwtData:
 
     Instance variables:
         - access_lock: lock for safe multi-threading access
-        - access_data: list with dictionaries holding the JWT token data, organized by account ids:
+        - access_data: dictionary holding the JWT token data, organized by account id:
          {
            <account-id>: {
              "reference-url":              # the reference URL
@@ -178,7 +179,7 @@ class JwtData:
         :raises InvalidIssuerError: 'iss' claim does not match the expected issuer
         :raises InvalidIssuedAtError: 'iat' claim is non-numeric
         :raises MissingRequiredClaimError: a required claim is not contained in the claimset
-        :raises RuntimeError: access data not found for the given *account_id*, or
+        :raises RuntimeError: error accessing the revocation database, or
                               the remote JWT provider failed to return a token
         """
         # initialize the return variable
@@ -191,9 +192,10 @@ class JwtData:
             # was the JWT data obtained ?
             if account_data:
                 # yes, proceed
+                errors: list[str] = []
                 current_claims: dict[str, Any] = account_data.get("claims").copy()
                 if account_claims:
-                    current_claims.update(current_claims)
+                    current_claims.update(account_claims)
 
                 # obtain new tokens
                 current_claims["jti"] = str_random(size=32,
@@ -203,7 +205,6 @@ class JwtData:
                 # where is the JWT service provider ?
                 if account_data.get("remote-provider"):
                     # JWT service is being provided by a remote server
-                    errors: list[str] = []
                     # Structure of the return data:
                     # {
                     #   "access_token": <jwt-token>,
@@ -221,15 +222,53 @@ class JwtData:
                         raise RuntimeError(" - ".join(errors))
                 else:
                     # JWT service is being provided locally
-                    just_now: float = datetime.now(tz=timezone.utc).timestamp()
+                    just_now: int = int(datetime.now(tz=timezone.utc).timestamp())
                     current_claims["iat"] = just_now
-                    current_claims["exp"] = just_now + account_data.get("access-max-age")
-                    current_claims["nat"] = "R"
-                    # may raise an exception
-                    refresh_token: str = jwt.encode(payload=current_claims,
-                                                    key=JWT_ENCODING_KEY,
-                                                    algorithm=JWT_DEFAULT_ALGORITHM)
+
+                    # retrieve the refresh token associated with the account id
+                    refresh_token: str | None = None
+                    if JWT_DB_ENGINE:
+                        from pypomes_db import db_select, db_delete
+                        if JWT_ROTATE_TOKENS:
+                            db_delete(errors=errors,
+                                      delete_stmt=f"DELETE FROM {JWT_DB_TABLE} "
+                                                  f"WHERE {JWT_DB_COL_ACCOUNT} = '{account_id}'",
+                                      logger=logger)
+                        else:
+                            recs: list[tuple[str]] = \
+                                db_select(errors=errors,
+                                          sel_stmt=f"SELECT token FROM {JWT_DB_TABLE} "
+                                                   f"WHERE {JWT_DB_COL_ACCOUNT} = '{account_id}'",
+                                          max_count=1,
+                                          logger=logger)
+                            if recs:
+                                refresh_token = recs[0][0]
+                        if errors:
+                            raise RuntimeError(" - ".join(errors))
+
+                    # was it obtained ?
+                    if not refresh_token:
+                        # no, issue a new one
+                        current_claims["exp"] = just_now + account_data.get("refresh-max-age")
+                        current_claims["nat"] = "R"
+                        # may raise an exception
+                        refresh_token: str = jwt.encode(payload=current_claims,
+                                                        key=JWT_ENCODING_KEY,
+                                                        algorithm=JWT_DEFAULT_ALGORITHM)
+                        # persist the new refresh token
+                        if JWT_DB_ENGINE:
+                            from pypomes_db import db_insert
+                            db_insert(errors=errors,
+                                      insert_stmt=f"INSERT INTO {JWT_DB_TABLE}",
+                                      insert_data={JWT_DB_COL_ACCOUNT: account_id,
+                                                   JWT_DB_COL_TOKEN: refresh_token},
+                                      logger=logger)
+                            if errors:
+                                raise RuntimeError(" - ".join(errors))
+
+                    # issue the access token
                     current_claims["nat"] = "A"
+                    current_claims["exp"] = just_now + account_data.get("access-max-age")
                     # may raise an exception
                     access_token: str = jwt.encode(payload=current_claims,
                                                    key=JWT_ENCODING_KEY,
@@ -237,8 +276,8 @@ class JwtData:
                     # return the token data
                     result = {
                         "access_token": access_token,
-                        "created_in": account_claims.get("iat"),
-                        "expires_in": account_claims.get("exp"),
+                        "created_in": current_claims.get("iat"),
+                        "expires_in": current_claims.get("exp"),
                         "refresh_token": refresh_token
                     }
             else:

pypomes_jwt/jwt_pomes.py

@@ -1,12 +1,12 @@
-import contextlib
 import jwt
-from flask import Request, Response, request, jsonify
+from flask import Request, Response, request
 from logging import Logger
 from typing import Any, Literal
 
 from .jwt_constants import (
     JWT_ACCESS_MAX_AGE, JWT_REFRESH_MAX_AGE,
-    JWT_DEFAULT_ALGORITHM, JWT_DECODING_KEY
+    JWT_DEFAULT_ALGORITHM, JWT_DECODING_KEY,
+    JWT_DB_ENGINE, JWT_DB_TABLE, JWT_DB_COL_ACCOUNT
 )
 from .jwt_data import JwtData
 
@@ -153,12 +153,57 @@ def jwt_validate_token(errors: list[str] | None,
     return err_msg is None
 
 
+def jwt_revoke_tokens(errors: list[str] | None,
+                      account_id: str,
+                      logger: Logger = None) -> bool:
+    """
+    Revoke all refresh tokens associated with *account_id*.
+
+    Revoke operations require access to a database table defined by *JWT_DB_TABLE*.
+
+    :param errors: incidental error messages
+    :param account_id: the account identification
+    :param logger: optional logger
+    :return: *True* if operation could be performed, *False* otherwise
+    """
+    # initialize the return variable
+    result: bool = False
+
+    if logger:
+        logger.debug(msg=f"Revoking refresh tokens of '{account_id}'")
+
+    op_errors: list[str] = []
+    if JWT_DB_ENGINE:
+        from pypomes_db import db_delete
+        delete_stmt: str = (f"DELETE FROM {JWT_DB_TABLE} "
+                            f"WHERE {JWT_DB_COL_ACCOUNT} = '{account_id}'")
+        db_delete(errors=op_errors,
+                  delete_stmt=delete_stmt,
+                  logger=logger)
+    else:
+        op_errors.append("Database access for token revocation has not been specified")
+
+    if op_errors:
+        if logger:
+            logger.error(msg="; ".join(op_errors))
+        if isinstance(errors, list):
+            errors.extend(op_errors)
+    else:
+        result = True
+
+    return result
+
+
 def jwt_get_tokens(errors: list[str] | None,
                    account_id: str,
                    account_claims: dict[str, Any] = None,
+                   refresh_token: str = None,
                    logger: Logger = None) -> dict[str, Any]:
     """
-    Issue and return the JWT token data associated with *account_id*.
+    Issue or refresh, and return, the JWT token data associated with *account_id*.
+
+    If *refresh_token* is provided, its claims are used on issuing the new tokens,
+    and claims in *account_claims*, if any, are ignored.
 
     Structure of the return data:
     {
@@ -171,6 +216,7 @@ def jwt_get_tokens(errors: list[str] | None,
     :param errors: incidental error messages
     :param account_id: the account identification
     :param account_claims: if provided, may supercede registered custom claims
+    :param refresh_token: if provided, defines a token refresh operation
     :param logger: optional logger
     :return: the JWT token data, or *None* if error
     """
@@ -179,17 +225,28 @@ def jwt_get_tokens(errors: list[str] | None,
 
     if logger:
         logger.debug(msg=f"Retrieve JWT token data for '{account_id}'")
-    try:
-        result = __jwt_data.issue_tokens(account_id=account_id,
-                                         account_claims=account_claims,
-                                         logger=logger)
-        if logger:
-            logger.debug(msg=f"Data is '{result}'")
-    except Exception as e:
+    op_errors: list[str] = []
+    if refresh_token:
+        account_claims = jwt_get_claims(errors=op_errors,
+                                        token=refresh_token)
+        if not op_errors and account_claims.get("nat") != "R":
+            op_errors.extend("Invalid parameters")
+
+    if not op_errors:
+        try:
+            result = __jwt_data.issue_tokens(account_id=account_id,
+                                             account_claims=account_claims)
+            if logger:
+                logger.debug(msg=f"Data is '{result}'")
+        except Exception as e:
+            # token issuing failed
+            op_errors.append(str(e))
+
+    if op_errors:
         if logger:
-            logger.error(msg=str(e))
+            logger.error("; ".join(op_errors))
         if isinstance(errors, list):
-            errors.append(str(e))
+            errors.extend(op_errors)
 
     return result
 
@@ -212,14 +269,14 @@ def jwt_get_claims(errors: list[str] | None,
         logger.debug(msg=f"Retrieve claims for token '{token}'")
 
     try:
-        reply: dict[str, Any] = jwt.decode(jwt=token,
-                                           options={"verify_signature": False})
-        if reply.get("nat") in ["A", "R"]:
+        claims: dict[str, Any] = jwt.decode(jwt=token,
+                                            options={"verify_signature": False})
+        if claims.get("nat") in ["A", "R"]:
             result = jwt.decode(jwt=token,
                                 key=JWT_DECODING_KEY,
                                 algorithms=[JWT_DEFAULT_ALGORITHM])
         else:
-            result = reply
+            result = claims
     except Exception as e:
         if logger:
             logger.error(msg=str(e))
@@ -250,12 +307,13 @@ def jwt_verify_request(request: Request,
 
     # was a 'Bearer' authorization obtained ?
     if auth_header and auth_header.startswith("Bearer "):
-        # yes, extract and validate the JWT token
+        # yes, extract and validate the JWT access token
         token: str = auth_header.split(" ")[1]
         if logger:
             logger.debug(msg=f"Token is '{token}'")
         errors: list[str] = []
         jwt_validate_token(errors=errors,
+                           nature="A",
                            token=token)
         if errors:
             err_msg = "; ".join(errors)
@@ -271,122 +329,3 @@ def jwt_verify_request(request: Request,
                           status=401)
 
     return result
-
-
-def jwt_claims(token: str = None) -> Response:
-    """
-    REST service entry point for retrieving the claims of a JWT token.
-
-    Structure of the return data:
-    {
-      "<claim-1>": <value-of-claim-1>,
-      ...
-      "<claim-n>": <value-of-claim-n>
-    }
-
-    :param token: the JWT token
-    :return: a *Response* containing the requested JWT token claims, or reporting an error
-    """
-    # declare the return variable
-    result: Response
-
-    # retrieve the token
-    # noinspection PyUnusedLocal
-    if not token:
-        token = request.values.get("token")
-        if not token:
-            with contextlib.suppress(Exception):
-                token = request.get_json().get("token")
-
-    # has the token been obtained ?
-    if token:
-        # yes, obtain the token data
-        errors: list[str] = []
-        token_claims: dict[str, Any] = jwt_get_claims(errors=errors,
-                                                      token=token)
-        if errors:
-            result = Response(response=errors,
-                              status=400)
-        else:
-            result = jsonify(token_claims)
-    else:
-        # no, report the problem
-        result = Response(response="Invalid parameters",
-                          status=400)
-
-    return result
-
-
-def jwt_tokens(service_params: dict[str, Any] = None) -> Response:
-    """
-    REST service entry point for obtaining or refreshing JWT tokens.
-
-    The requester must send, as parameter *service_params* or in the body of the request:
-    {
-      "account-id": "<string>"                             - required account identification
-      "refresh_token": <string>                            - if refresh is being requested
-      "<account-claim-key-1>": "<account-claim-value-1>",  - optional superceding account claims
-      ...
-      "<account-claim-key-n>": "<account-claim-value-n>"
-    }
-    if provided, the refresh token will cause a token refresh operation to be carried out.
-    Otherwise, a regular token issue operation is carried out, with the optional superceding
-    account claims being used (claims currently registered for the account may be overridden).
-
-    Structure of the return data:
-    {
-      "access_token": <jwt-token>,
-      "created_in": <timestamp>,
-      "expires_in": <seconds-to-expiration>,
-      "refresh_token": <jwt-token>
-    }
-
-    :param service_params: the optional JSON containing the request parameters (defaults to JSON in body)
-    :return: a *Response* containing the requested JWT token data, or reporting an error
-    """
-    # declare the return variable
-    result: Response
-
-    # retrieve the parameters
-    # noinspection PyUnusedLocal
-    params: dict[str, Any] = service_params or {}
-    if not params:
-        with contextlib.suppress(Exception):
-            params = request.get_json()
-    account_id: str | None = params.pop("account-id", None)
-    refresh_token: str | None = params.pop("refresh-token", None)
-    err_msg: str | None = None
-    token_data: dict[str, Any] | None = None
-
-    # has the account been identified ?
-    if account_id:
-        # yes, proceed
-        if refresh_token:
-            errors: list[str] = []
-            claims: dict[str, Any] = jwt_get_claims(errors=errors,
-                                                    token=refresh_token)
-            if errors:
-                err_msg = "; ".join(errors)
-            elif claims.get("nat") != "R":
-                err_msg = "Invalid parameters"
-            else:
-                params = claims
-
-        if not err_msg:
-            try:
-                token_data = __jwt_data.issue_tokens(account_id=account_id,
-                                                     account_claims=params)
-            except Exception as e:
-                # token issuing failed
-                err_msg = str(e)
-    else:
-        # no, report the problem
-        err_msg = "Invalid parameters"
-
-    if err_msg:
-        result = Response(response=err_msg,
-                          status=401)
-    else:
-        result = jsonify(token_data)
-
-    return result

{pypomes_jwt-0.7.1.dist-info → pypomes_jwt-0.7.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_jwt
-Version: 0.7.1
+Version: 0.7.3
 Summary: A collection of Python pomes, penyeach (JWT module)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-JWT
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-JWT/issues

pypomes_jwt-0.7.3.dist-info/RECORD

@@ -0,0 +1,8 @@
+pypomes_jwt/__init__.py,sha256=dkWeYPNwypjwFuTjx4YtC8QV9ihykF4xcJJ7x86Wc5g,1130
+pypomes_jwt/jwt_constants.py,sha256=zuU-JvVojYuNeEWfvPC62_IL2KZYshppYLZ3MnSpp4c,4523
+pypomes_jwt/jwt_data.py,sha256=gKXL-gRm2ABfSD_X42bSzBciv5nclO2uiqOSvUUgE3k,16419
+pypomes_jwt/jwt_pomes.py,sha256=zFU1TyeR3BhK9ToC1Vs1wh67uE2DGvzH9FltiQxI0EM,12160
+pypomes_jwt-0.7.3.dist-info/METADATA,sha256=FRPBH-XDlmst_zCKAAaRzSZa4LJvEZIcXe0Rw2GDprU,599
+pypomes_jwt-0.7.3.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+pypomes_jwt-0.7.3.dist-info/licenses/LICENSE,sha256=NdakochSXm_H_-DSL_x2JlRCkYikj3snYYvTwgR5d_c,1086
+pypomes_jwt-0.7.3.dist-info/RECORD,,

pypomes_jwt-0.7.1.dist-info/RECORD

@@ -1,8 +0,0 @@
-pypomes_jwt/__init__.py,sha256=4dBUGZTw1c-TeZukYjwAM7VWFzoFBSEyAN26jgjQRtM,1022
-pypomes_jwt/jwt_constants.py,sha256=k1PFqBF7KI2Ie8ErOW1zw9IWTgqjkxvU4m2eKGr_1EA,2927
-pypomes_jwt/jwt_data.py,sha256=npKZqHZbftvvOGCRAl-2yovUbqCQW0FvcQvyuYGXA_U,14189
-pypomes_jwt/jwt_pomes.py,sha256=w2sgJUF4CZibBCxU_-PZvrQyMm1saP0FBnf1yCCUSak,14247
-pypomes_jwt-0.7.1.dist-info/METADATA,sha256=S092HRvlJYZVEgHbzJyZ3o1bAqlIqUwEri37srho9jA,599
-pypomes_jwt-0.7.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-pypomes_jwt-0.7.1.dist-info/licenses/LICENSE,sha256=NdakochSXm_H_-DSL_x2JlRCkYikj3snYYvTwgR5d_c,1086
-pypomes_jwt-0.7.1.dist-info/RECORD,,