pypomes-jwt 0.9.8__tar.gz → 1.0.0__tar.gz

{pypomes_jwt-0.9.8 → pypomes_jwt-1.0.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_jwt
-Version: 0.9.8
+Version: 1.0.0
 Summary: A collection of Python pomes, penyeach (JWT module)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-JWT
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-JWT/issues
@@ -12,5 +12,5 @@ Classifier: Programming Language :: Python :: 3
 Requires-Python: >=3.12
 Requires-Dist: cryptography>=44.0.2
 Requires-Dist: pyjwt>=2.10.1
-Requires-Dist: pypomes-core>=1.8.5
-Requires-Dist: pypomes-db>=1.9.7
+Requires-Dist: pypomes-core>=1.8.6
+Requires-Dist: pypomes-db>=1.9.8

{pypomes_jwt-0.9.8 → pypomes_jwt-1.0.0}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "pypomes_jwt"
-version = "0.9.8"
+version = "1.0.0"
 authors = [
   { name="GT Nunes", email="wisecoder01@gmail.com" }
 ]
@@ -21,8 +21,8 @@ classifiers = [
 dependencies = [
     "PyJWT>=2.10.1",
     "cryptography>=44.0.2",
-    "pypomes_core>=1.8.5",
-    "pypomes_db>=1.9.7"
+    "pypomes_core>=1.8.6",
+    "pypomes_db>=1.9.8"
 ]
 
 [project.urls]

{pypomes_jwt-0.9.8 → pypomes_jwt-1.0.0}/src/pypomes_jwt/jwt_pomes.py

@@ -1,7 +1,9 @@
 import jwt
+import sys
 from base64 import urlsafe_b64decode
 from flask import Request, Response, request
 from logging import Logger
+from pypomes_core import exc_format
 from pypomes_db import db_select, db_delete
 from typing import Any
 
@@ -152,6 +154,8 @@ def jwt_validate_token(errors: list[str] | None,
     If the *kid* claim contains such an id, then the cryptographic key needed for validation
     will be obtained from the token database. Otherwise, the current decoding key is used.
 
+    On success, return the token's claims (header and payload), as documented in *jwt_get_claims()*
+
     :param errors: incidental error messages
     :param token: the token to be validated
     :param nature: prefix identifying the nature of locally issued tokens
@@ -161,74 +165,91 @@ def jwt_validate_token(errors: list[str] | None,
     """
     # initialize the return variable
     result: dict[str, Any] | None = None
+
     if logger:
         logger.debug(msg="Validate JWT token")
+    op_errors: list[str] = []
 
     # extract needed data from token header
-    token_header: dict[str, Any] = jwt.get_unverified_header(jwt=token)
-    token_kid: str = token_header.get("kid")
-    token_alg: str | None = None
-    token_decoder: bytes | None = None
-    op_errors: list[str] = []
+    token_header: dict[str, Any] | None = None
+    try:
+        token_header: dict[str, Any] = jwt.get_unverified_header(jwt=token)
+    except Exception as e:
+        exc_err: str = exc_format(exc=e,
+                                  exc_info=sys.exc_info())
+        if logger:
+            logger.error(msg=f"Error retrieving the token's header: {exc_err}")
+        op_errors.append(exc_err)
 
-    # retrieve token data from database
-    if nature and not (token_kid and token_kid[0:1] == nature):
-        op_errors.append("Invalid token")
-    elif token_kid and len(token_kid) > 1 and \
-            token_kid[0:1] in ["A", "R"] and token[1:].isdigit():
-        # token was likely issued locally
-        where_data: dict[str, Any] = {JWT_DB_COL_KID: int(token_kid[1:])}
-        if account_id:
-            where_data[JWT_DB_COL_ACCOUNT] = account_id
-        recs: list[tuple[str]] = db_select(errors=op_errors,
-                                           sel_stmt=f"SELECT {JWT_DB_COL_ALGORITHM}, {JWT_DB_COL_DECODER} "
-                                                    f"FROM {JWT_DB_TABLE}",
-                                           where_data=where_data,
-                                           logger=logger)
-        if recs:
-            token_alg = recs[0][0]
-            token_decoder = urlsafe_b64decode(recs[0][1])
-        else:
+    if not op_errors:
+        token_kid: str = token_header.get("kid")
+        token_alg: str | None = None
+        token_decoder: bytes | None = None
+
+        # retrieve token data from database
+        if nature and not (token_kid and token_kid[0:1] == nature):
             op_errors.append("Invalid token")
-    else:
-        token_alg = JWT_DEFAULT_ALGORITHM
-        token_decoder = JWT_DECODING_KEY
+        elif token_kid and len(token_kid) > 1 and \
+                token_kid[0:1] in ["A", "R"] and token_kid[1:].isdigit():
+            # token was likely issued locally
+            where_data: dict[str, Any] = {JWT_DB_COL_KID: int(token_kid[1:])}
+            if account_id:
+                where_data[JWT_DB_COL_ACCOUNT] = account_id
+            recs: list[tuple[str]] = db_select(errors=op_errors,
+                                               sel_stmt=f"SELECT {JWT_DB_COL_ALGORITHM}, {JWT_DB_COL_DECODER} "
+                                                        f"FROM {JWT_DB_TABLE}",
+                                               where_data=where_data,
+                                               logger=logger)
+            if recs:
+                token_alg = recs[0][0]
+                token_decoder = urlsafe_b64decode(recs[0][1])
+            elif op_errors:
+                if logger:
+                    logger.error(msg=f"Error retrieving the token's decoder: {'; '.join(op_errors)}")
+            else:
+                if logger:
+                    logger.error(msg="Token not in the database")
+                op_errors.append("Invalid token")
+        else:
+            token_alg = JWT_DEFAULT_ALGORITHM
+            token_decoder = JWT_DECODING_KEY
 
         # validate the token
-    if not op_errors:
-        try:
-            # raises:
-            #   InvalidTokenError: token is invalid
-            #   InvalidKeyError: authentication key is not in the proper format
-            #   ExpiredSignatureError: token and refresh period have expired
-            #   InvalidSignatureError: signature does not match the one provided as part of the token
-            #   ImmatureSignatureError: 'nbf' or 'iat' claim represents a timestamp in the future
-            #   InvalidAlgorithmError: the specified algorithm is not recognized
-            #   InvalidIssuedAtError: 'iat' claim is non-numeric
-            #   MissingRequiredClaimError: a required claim is not contained in the claimset
-            payload: dict[str, Any] = jwt.decode(jwt=token,
-                                                 options={
-                                                     "verify_signature": True,
-                                                     "verify_exp": True,
-                                                     "verify_nbf": True
-                                                 },
-                                                 key=token_decoder,
-                                                 require=["iat", "iss", "exp", "sub"],
-                                                 algorithms=token_alg)
-            if account_id and payload.get("sub") != account_id:
-                op_errors.append("Token does not belong to account")
-            else:
-                result = {
-                    "header": token_header,
-                    "payload": payload
-                }
-        except Exception as e:
-            op_errors.append(str(e))
+        if not op_errors:
+            try:
+                # raises:
+                #   InvalidTokenError: token is invalid
+                #   InvalidKeyError: authentication key is not in the proper format
+                #   ExpiredSignatureError: token and refresh period have expired
+                #   InvalidSignatureError: signature does not match the one provided as part of the token
+                #   ImmatureSignatureError: 'nbf' or 'iat' claim represents a timestamp in the future
+                #   InvalidAlgorithmError: the specified algorithm is not recognized
+                #   InvalidIssuedAtError: 'iat' claim is non-numeric
+                #   MissingRequiredClaimError: a required claim is not contained in the claimset
+                payload: dict[str, Any] = jwt.decode(jwt=token,
+                                                     options={
+                                                         "verify_signature": True,
+                                                         "verify_exp": True,
+                                                         "verify_nbf": True
+                                                     },
+                                                     key=token_decoder,
+                                                     require=["iat", "iss", "exp", "sub"],
+                                                     algorithms=token_alg)
+                if account_id and payload.get("sub") != account_id:
+                    op_errors.append("Token does not belong to account")
+                else:
+                    result = {
+                        "header": token_header,
+                        "payload": payload
+                    }
+            except Exception as e:
+                exc_err: str = exc_format(exc=e,
+                                          exc_info=sys.exc_info())
+                if logger:
+                    logger.error(msg=f"Error decoding the token: {exc_err}")
+                op_errors.append(exc_err)
 
     if op_errors:
-        err_msg: str = "; ".join(op_errors)
-        if logger:
-            logger.error(msg=err_msg)
         if isinstance(errors, list):
             errors.extend(op_errors)
     elif logger:
@@ -256,7 +277,7 @@ def jwt_revoke_token(errors: list[str] | None,
     result: bool = False
 
     if logger:
-        logger.debug(msg=f"Revoking refresh token of '{account_id}'")
+        logger.debug(msg=f"Revoking token of account '{account_id}'")
 
     op_errors: list[str] = []
     token_claims: dict[str, Any] = jwt_validate_token(errors=op_errors,
@@ -328,13 +349,14 @@ def jwt_issue_token(errors: list[str] | None,
             logger.debug(msg=f"Token is '{result}'")
     except Exception as e:
         # token issuing failed
-        op_errors.append(str(e))
-
-    if op_errors:
+        exc_err: str = exc_format(exc=e,
+                                  exc_info=sys.exc_info())
         if logger:
-            logger.error("; ".join(op_errors))
-        if isinstance(errors, list):
-            errors.extend(op_errors)
+            logger.error(msg=f"Error issuing the token: {exc_err}")
+        op_errors.append(exc_err)
+
+    if op_errors and isinstance(errors, list):
+        errors.extend(op_errors)
 
     return result
 
@@ -378,7 +400,11 @@ def jwt_issue_tokens(errors: list[str] | None,
             logger.debug(msg=f"Token data is '{result}'")
     except Exception as e:
         # token issuing failed
-        op_errors.append(str(e))
+        exc_err: str = exc_format(exc=e,
+                                  exc_info=sys.exc_info())
+        if logger:
+            logger.error(msg=f"Error issuing the token pair: {exc_err}")
+        op_errors.append(exc_err)
 
     if op_errors:
         if logger:
@@ -505,9 +531,11 @@ def jwt_get_claims(errors: list[str] | None,
             "payload": payload
         }
     except Exception as e:
+        exc_err: str = exc_format(exc=e,
+                                  exc_info=sys.exc_info())
         if logger:
-            logger.error(msg=str(e))
+            logger.error(msg=f"Error retrieving the token's claimsn: {exc_err}")
         if isinstance(errors, list):
-            errors.append(str(e))
+            errors.append(exc_err)
 
     return result

{pypomes_jwt-0.9.8 → pypomes_jwt-1.0.0}/src/pypomes_jwt/jwt_registry.py

@@ -379,12 +379,13 @@ def _jwt_persist_token(errors: list[str],
     if logger:
         logger.debug(msg=f"Read {len(recs)} token from storage for account '{account_id}'")
     # remove the expired tokens
-    oldest: int = sys.maxsize
-    surplus: int | None = None
+    just_now: int = int(datetime.now(tz=timezone.utc).timestamp())
+    oldest_ts: int = sys.maxsize
+    oldest_id: int | None = None
     expired: list[int] = []
     for rec in recs:
         token: str = rec[1]
-        token_kid: int = rec[0]
+        token_id: int = rec[0]
         token_claims: dict[str, Any] = jwt_get_claims(errors=errors,
                                                       token=token,
                                                       logger=logger)
@@ -393,14 +394,14 @@ def _jwt_persist_token(errors: list[str],
 
         # find expired tokens
         exp: int = token_claims["payload"].get("exp", sys.maxsize)
-        if exp < datetime.now(tz=timezone.utc).timestamp():
-            expired.append(token_kid)
+        if exp < just_now:
+            expired.append(token_id)
 
         # find oldest token
         iat: int = token_claims["payload"].get("iat", sys.maxsize)
-        if iat < oldest:
-            oldest = exp
-            surplus = token_kid
+        if iat < oldest_ts:
+            oldest_ts = exp
+            oldest_id = token_id
 
     # remove expired tokens from persistence
     if expired:
@@ -419,7 +420,7 @@ def _jwt_persist_token(errors: list[str],
         # delete the oldest token to make way for the new one
         db_delete(errors=errors,
                   delete_stmt=f"DELETE FROM {JWT_DB_TABLE}",
-                  where_data={JWT_DB_COL_KID: surplus},
+                  where_data={JWT_DB_COL_KID: oldest_id},
                   connection=db_conn,
                   logger=logger)
         if errors: