pypomes-jwt 0.7.3__tar.gz → 0.7.8__tar.gz

{pypomes_jwt-0.7.3 → pypomes_jwt-0.7.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_jwt
-Version: 0.7.3
+Version: 0.7.8
 Summary: A collection of Python pomes, penyeach (JWT module)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-JWT
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-JWT/issues

{pypomes_jwt-0.7.3 → pypomes_jwt-0.7.8}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "pypomes_jwt"
-version = "0.7.3"
+version = "0.7.8"
 authors = [
   { name="GT Nunes", email="wisecoder01@gmail.com" }
 ]

{pypomes_jwt-0.7.3 → pypomes_jwt-0.7.8}/src/pypomes_jwt/jwt_constants.py

@@ -16,12 +16,10 @@ JWT_DB_USER: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_USER")
 JWT_DB_PWD: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_PWD")
 JWT_DB_CLIENT: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_CLIENT")  # for Oracle, only
 JWT_DB_DRIVER: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_DRIVER")  # for SQLServer, only
-JWT_DB_TABLE: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_TABLE",
-                                       def_value="jwt_token")
-JWT_DB_COL_ACCOUNT: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_COL_ACCOUNT",
-                                             def_value="account_id")
-JWT_DB_COL_TOKEN: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_COL_TOKEN",
-                                           def_value="token")
+JWT_DB_TABLE: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_TABLE")
+JWT_DB_COL_ACCOUNT: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_COL_ACCOUNT")
+JWT_DB_COL_HASH: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_COL_HASH")
+JWT_DB_COL_TOKEN: Final[str] = env_get_str(key=f"{APP_PREFIX}_JWT_DB_COL_TOKEN")
 # define the database engine
 __db_engine: str | None = env_get_str(key=f"{APP_PREFIX}_JWT_DB_ENGINE")
 if __db_engine:
@@ -58,6 +56,7 @@ JWT_REFRESH_MAX_AGE: Final[int] = env_get_int(key=f"{APP_PREFIX}_JWT_REFRESH_MAX
                                               def_value=86400)
 JWT_ROTATE_TOKENS: Final[bool] = env_get_bool(key=f"{APP_PREFIX}_JWT_ROTATE_TOKENS",
                                               def_value=True)
+JWT_ACCOUNT_LIMIT: Final[int] = env_get_int(key=f"{APP_PREFIX}_JWT_ACCOUNT_LIMIT")
 
 # recommended: allow the encode and decode keys to be generated anew when app starts
 __encoding_key: bytes = env_get_bytes(key=f"{APP_PREFIX}_JWT_ENCODE_KEY")

{pypomes_jwt-0.7.3 → pypomes_jwt-0.7.8}/src/pypomes_jwt/jwt_data.py

@@ -1,3 +1,4 @@
+import hashlib
 import jwt
 import requests
 import string
@@ -9,8 +10,9 @@ from threading import Lock
 from typing import Any
 
 from .jwt_constants import (
-    JWT_DEFAULT_ALGORITHM, JWT_ENCODING_KEY, JWT_ROTATE_TOKENS,
-    JWT_DB_ENGINE, JWT_DB_TABLE, JWT_DB_COL_ACCOUNT, JWT_DB_COL_TOKEN
+    JWT_DEFAULT_ALGORITHM, JWT_ENCODING_KEY, JWT_DECODING_KEY,
+    JWT_ROTATE_TOKENS, JWT_ACCOUNT_LIMIT, JWT_DB_ENGINE,
+    JWT_DB_TABLE, JWT_DB_COL_ACCOUNT, JWT_DB_COL_HASH, JWT_DB_COL_TOKEN
 )
 
 
@@ -113,7 +115,7 @@ class JwtData:
         with self.access_lock:
             if account_id not in self.access_data:
                 self.access_data[account_id] = {
-                    "reference_url": reference_url,
+                    "reference-url": reference_url,
                     "access-max-age": access_max_age,
                     "refresh-max-age": refresh_max_age,
                     "grace-interval": grace_interval,
@@ -200,6 +202,7 @@ class JwtData:
                 # obtain new tokens
                 current_claims["jti"] = str_random(size=32,
                                                    chars=string.ascii_letters + string.digits)
+                current_claims["sub"] = account_id
                 current_claims["iss"] = account_data.get("reference-url")
 
                 # where is the JWT service provider ?
@@ -224,6 +227,8 @@ class JwtData:
                     # JWT service is being provided locally
                     just_now: int = int(datetime.now(tz=timezone.utc).timestamp())
                     current_claims["iat"] = just_now
+                    if JWT_DEFAULT_ALGORITHM in []:
+                        current_claims["kid"] = JWT_DECODING_KEY
 
                     # retrieve the refresh token associated with the account id
                     refresh_token: str | None = None
@@ -257,12 +262,10 @@ class JwtData:
                                                         algorithm=JWT_DEFAULT_ALGORITHM)
                         # persist the new refresh token
                         if JWT_DB_ENGINE:
-                            from pypomes_db import db_insert
-                            db_insert(errors=errors,
-                                      insert_stmt=f"INSERT INTO {JWT_DB_TABLE}",
-                                      insert_data={JWT_DB_COL_ACCOUNT: account_id,
-                                                   JWT_DB_COL_TOKEN: refresh_token},
-                                      logger=logger)
+                            # persist the refresh token
+                            _jwt_persist_token(account_id=account_id,
+                                               jwt_token=refresh_token,
+                                               logger=logger)
                             if errors:
                                 raise RuntimeError(" - ".join(errors))
 
@@ -340,3 +343,71 @@ def _jwt_request_token(errors: list[str],
         errors.append(err_msg)
 
     return result
+
+
+def _jwt_persist_token(account_id: str,
+                       jwt_token: str,
+                       logger: Logger = None) -> bool:
+    """
+    Persist the given token, making sure that the account limit is adhered to.
+
+    :param jwt_token: the JWT token to persist
+    :param account_id: the account identification
+    :returns: *True* if token was persisted, *False* otherwise
+    """
+    from pypomes_db import db_select, db_insert, db_delete
+    from .jwt_pomes import jwt_get_claims
+
+    # retrieve the account's tokens
+    errors: list[str] = []
+    recs: list[tuple[str]] = db_select(errors=errors,
+                                       sel_stmt=f"SELECT {JWT_DB_COL_HASH}, {JWT_DB_COL_TOKEN} FROM {JWT_DB_TABLE} ",
+                                       where_data={JWT_DB_COL_ACCOUNT: f"'{account_id}'"})
+    if not errors:
+        if logger:
+            logger.debug(msg=f"Read {len(recs)} token from storage for account '{account_id}'")
+        # remove the expired tokens
+        expired: list[str] = []
+        for rec in recs:
+            token: str = rec[1]
+            token_hash: str = rec[0]
+            op_errors: list[str] = []
+            token_claims: dict[str, Any] = jwt_get_claims(errors=op_errors,
+                                                          token=token,
+                                                          validate=False,
+                                                          logger=logger)
+            if op_errors:
+                break
+
+            exp: int = token_claims["payload"]["exp"]
+            if exp < datetime.now(tz=timezone.utc).timestamp():
+                expired.append(token_hash)
+
+        if not errors:
+            # remove expired tokens from persistence
+            # ruff: noqa: SIM102
+            if expired:
+                if db_delete(errors=errors,
+                             delete_stmt=f"DELETE FROM {JWT_DB_TABLE}",
+                             where_data={
+                                JWT_DB_COL_ACCOUNT: f"'{account_id}'",
+                                JWT_DB_COL_HASH: expired
+                             },
+                             logger=logger) is not None:
+                    if logger:
+                        logger.debug(msg=f"{len(expired)} tokens removed from storage")
+                    if 0 < JWT_ACCOUNT_LIMIT <= len(recs) - len(expired):
+                        errors.append("Maximum number of active sessions "
+                                      f"({JWT_ACCOUNT_LIMIT}) exceeded for account '{account_id}'")
+            # persist token
+            if not errors:
+                # ruff: noqa: S324
+                hasher = hashlib.new(name="md5")
+                hasher.update(jwt_token.encode())
+                token_hash: str = hasher.digest().decode()
+                db_insert(errors=errors,
+                          insert_stmt=f"INSERT INTO {JWT_DB_TABLE}",
+                          insert_data={"ds_hash": token_hash,
+                                       "ds_token": jwt_token})
+
+    return len(errors) == 0

{pypomes_jwt-0.7.3 → pypomes_jwt-0.7.8}/src/pypomes_jwt/jwt_pomes.py

@@ -6,7 +6,7 @@ from typing import Any, Literal
 from .jwt_constants import (
     JWT_ACCESS_MAX_AGE, JWT_REFRESH_MAX_AGE,
     JWT_DEFAULT_ALGORITHM, JWT_DECODING_KEY,
-    JWT_DB_ENGINE, JWT_DB_TABLE, JWT_DB_COL_ACCOUNT
+    JWT_DB_ENGINE, JWT_DB_TABLE, JWT_DB_COL_ACCOUNT, JWT_DB_COL_TOKEN
 )
 from .jwt_data import JwtData
 
@@ -31,6 +31,51 @@ def jwt_needed(func: callable) -> callable:
     return wrapper
 
 
+def jwt_verify_request(request: Request,
+                       logger: Logger = None) -> Response:
+    """
+    Verify wheher the HTTP *request* has the proper authorization, as per the JWT standard.
+
+    :param request: the request to be verified
+    :param logger: optional logger
+    :return: *None* if the request is valid, otherwise a *Response* object reporting the error
+    """
+    # initialize the return variable
+    result: Response | None = None
+
+    if logger:
+        logger.debug(msg="Validate a JWT token")
+    err_msg: str | None = None
+
+    # retrieve the authorization from the request header
+    auth_header: str = request.headers.get("Authorization")
+
+    # was a 'Bearer' authorization obtained ?
+    if auth_header and auth_header.startswith("Bearer "):
+        # yes, extract and validate the JWT access token
+        token: str = auth_header.split(" ")[1]
+        if logger:
+            logger.debug(msg=f"Token is '{token}'")
+        errors: list[str] = []
+        jwt_validate_token(errors=errors,
+                           nature="A",
+                           token=token)
+        if errors:
+            err_msg = "; ".join(errors)
+    else:
+        # no 'Bearer' found, report the error
+        err_msg = "Request header has no 'Bearer' data"
+
+    # log the error and deny the authorization
+    if err_msg:
+        if logger:
+            logger.error(msg=err_msg)
+        result = Response(response="Authorization failed",
+                          status=401)
+
+    return result
+
+
 def jwt_assert_access(account_id: str) -> bool:
     """
     Determine whether access for *account_id* has been established.
@@ -227,15 +272,28 @@ def jwt_get_tokens(errors: list[str] | None,
         logger.debug(msg=f"Retrieve JWT token data for '{account_id}'")
     op_errors: list[str] = []
     if refresh_token:
-        account_claims = jwt_get_claims(errors=op_errors,
-                                        token=refresh_token)
-        if not op_errors and account_claims.get("nat") != "R":
-            op_errors.extend("Invalid parameters")
+        # verify whether this refresh token is legitimate
+        if JWT_DB_ENGINE:
+            from pypomes_db import db_select
+            recs: list[tuple[str]] = db_select(errors=op_errors,
+                                               sel_stmt=f"SELECT {JWT_DB_COL_TOKEN} "
+                                                        f"FROM {JWT_DB_TABLE}",
+                                               where_data={JWT_DB_COL_ACCOUNT: f"'{account_id}'"},
+                                               logger=logger)
+            if not op_errors and \
+                    (len(recs) == 0 or recs[0][0] != refresh_token):
+                op_errors.append("Invalid refresh token")
+        if not op_errors:
+            account_claims = jwt_get_claims(errors=op_errors,
+                                            token=refresh_token)
+            if not op_errors and account_claims.get("nat") != "R":
+                op_errors.append("Invalid parameters")
 
     if not op_errors:
         try:
             result = __jwt_data.issue_tokens(account_id=account_id,
-                                             account_claims=account_claims)
+                                             account_claims=account_claims,
+                                             logger=logger)
             if logger:
                 logger.debug(msg=f"Data is '{result}'")
         except Exception as e:
@@ -253,12 +311,43 @@ def jwt_get_tokens(errors: list[str] | None,
 
 def jwt_get_claims(errors: list[str] | None,
                    token: str,
+                   validate: bool = True,
                    logger: Logger = None) -> dict[str, Any]:
     """
     Obtain and return the claims set of a JWT *token*.
 
+    If *validate* is set to *True*, tha following pieces of information are verified:
+      - the token was issued and signed by the local provider, and is not corrupted
+      - the claim 'exp' is present and is in the future
+      - the claim 'nbf' is present and is in the past
+
+    Structure of the returned data:
+      {
+        "header": {
+          "alg": "HS256",
+          "typ": "JWT"
+        },
+        "payload": {
+          "birthdate": "1980-01-01",
+          "email": "jdoe@mail.com",
+          "exp": 1516640454,
+          "iat": 1516239022,
+          "iss": "https://my_id_provider/issue",
+          "jti": "Uhsdfgr67FGH567qwSDF33er89retert",
+          "gender": "M,
+          "name": "John Doe",
+          "nbt": 1516249022
+          "sub": "1234567890",
+          "roles": [
+            "administrator",
+            "operator"
+          ]
+        }
+      }
+
     :param errors: incidental error messages
     :param token: the token to be inspected for claims
+    :param validate: If *True*, verifies the token's data
     :param logger: optional logger
     :return: the token's claimset, or *None* if error
     """
@@ -269,14 +358,26 @@ def jwt_get_claims(errors: list[str] | None,
         logger.debug(msg=f"Retrieve claims for token '{token}'")
 
     try:
-        claims: dict[str, Any] = jwt.decode(jwt=token,
-                                            options={"verify_signature": False})
-        if claims.get("nat") in ["A", "R"]:
-            result = jwt.decode(jwt=token,
-                                key=JWT_DECODING_KEY,
-                                algorithms=[JWT_DEFAULT_ALGORITHM])
+        # retrieve the token's payload
+        if validate:
+            payload: dict[str, Any] = jwt.decode(jwt=token,
+                                                 options={
+                                                     "verify_signature": True,
+                                                     "verify_exp": True,
+                                                     "verify_nbf": True
+                                                 },
+                                                 key=JWT_DECODING_KEY,
+                                                 require=["exp", "nbf"],
+                                                 algorithms=[JWT_DEFAULT_ALGORITHM])
         else:
-            result = claims
+            payload: dict[str, Any] = jwt.decode(jwt=token,
+                                                 options={"verify_signature": False})
+        # retrieve the token's header
+        header: dict[str, Any] = jwt.get_unverified_header(jwt=token)
+        result = {
+            "header": header,
+            "payload": payload
+        }
     except Exception as e:
         if logger:
             logger.error(msg=str(e))
@@ -284,48 +385,3 @@ def jwt_get_claims(errors: list[str] | None,
             errors.append(str(e))
 
     return result
-
-
-def jwt_verify_request(request: Request,
-                       logger: Logger = None) -> Response:
-    """
-    Verify wheher the HTTP *request* has the proper authorization, as per the JWT standard.
-
-    :param request: the request to be verified
-    :param logger: optional logger
-    :return: *None* if the request is valid, otherwise a *Response* object reporting the error
-    """
-    # initialize the return variable
-    result: Response | None = None
-
-    if logger:
-        logger.debug(msg="Validate a JWT token")
-    err_msg: str | None = None
-
-    # retrieve the authorization from the request header
-    auth_header: str = request.headers.get("Authorization")
-
-    # was a 'Bearer' authorization obtained ?
-    if auth_header and auth_header.startswith("Bearer "):
-        # yes, extract and validate the JWT access token
-        token: str = auth_header.split(" ")[1]
-        if logger:
-            logger.debug(msg=f"Token is '{token}'")
-        errors: list[str] = []
-        jwt_validate_token(errors=errors,
-                           nature="A",
-                           token=token)
-        if errors:
-            err_msg = "; ".join(errors)
-    else:
-        # no 'Bearer' found, report the error
-        err_msg = "Request header has no 'Bearer' data"
-
-    # log the error and deny the authorization
-    if err_msg:
-        if logger:
-            logger.error(msg=err_msg)
-        result = Response(response="Authorization failed",
-                          status=401)
-
-    return result