pypomes-jwt 1.3.8__tar.gz → 1.4.0__tar.gz

{pypomes_jwt-1.3.8 → pypomes_jwt-1.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_jwt
-Version: 1.3.8
+Version: 1.4.0
 Summary: A collection of Python pomes, penyeach (JWT module)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-JWT
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-JWT/issues
@@ -13,5 +13,6 @@ Requires-Python: >=3.12
 Requires-Dist: cryptography>=46.0.3
 Requires-Dist: flask>=3.1.2
 Requires-Dist: pyjwt>=2.10.1
-Requires-Dist: pypomes-core>=2.7.8
+Requires-Dist: pypomes-core>=2.8.1
+Requires-Dist: pypomes-crypto>=0.4.8
 Requires-Dist: pypomes-db>=2.8.1

{pypomes_jwt-1.3.8 → pypomes_jwt-1.4.0}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "pypomes_jwt"
-version = "1.3.8"
+version = "1.4.0"
 authors = [
   { name="GT Nunes", email="wisecoder01@gmail.com" }
 ]
@@ -22,7 +22,8 @@ dependencies = [
     "cryptography>=46.0.3",
     "Flask>=3.1.2",
     "PyJWT>=2.10.1",
-    "pypomes_core>=2.7.8",
+    "pypomes_core>=2.8.1",
+    "pypomes_crypto>=0.4.8",
     "pypomes_db>=2.8.1"
 ]
 

{pypomes_jwt-1.3.8 → pypomes_jwt-1.4.0}/src/pypomes_jwt/__init__.py

@@ -2,7 +2,7 @@ from .jwt_config import (
     JwtConfig, JwtDbConfig, JwtAlgorithm
 )
 from .jwt_pomes import (
-    jwt_needed, jwt_verify_request,
+    jwt_needed, jwt_verify_request, jwt_get_public_key,
     jwt_assert_account, jwt_set_account, jwt_remove_account,
     jwt_issue_token, jwt_issue_tokens, jwt_refresh_tokens,
     jwt_get_claims, jwt_validate_token, jwt_revoke_token
@@ -12,7 +12,7 @@ __all__ = [
     # jwt_config
     "JwtConfig", "JwtDbConfig", "JwtAlgorithm",
     # jwt_pomes
-    "jwt_needed", "jwt_verify_request",
+    "jwt_needed", "jwt_verify_request", "jwt_get_public_key",
     "jwt_assert_account", "jwt_set_account", "jwt_remove_account",
     "jwt_issue_token", "jwt_issue_tokens", "jwt_refresh_tokens",
     "jwt_get_claims", "jwt_validate_token", "jwt_revoke_token"

{pypomes_jwt-1.3.8 → pypomes_jwt-1.4.0}/src/pypomes_jwt/jwt_pomes.py

@@ -1,4 +1,5 @@
 import jwt
+import requests
 import sys
 from base64 import b64decode
 from flask import Request, Response, request
@@ -8,7 +9,7 @@ from pypomes_db import (
     DbEngine, db_connect, db_commit,
     db_rollback, db_close, db_select, db_delete
 )
-from typing import Any
+from typing import Any, Literal
 
 from .jwt_config import JwtConfig, JwtDbConfig
 from .jwt_registry import JwtRegistry
@@ -52,7 +53,7 @@ def jwt_verify_request(request: Request) -> Response:
     # validate the authorization token
     bad_token: bool = True
     if auth_header and auth_header.startswith("Bearer "):
-        # yes, extract and validate the JWT access token
+        # extract and validate the JWT access token
         token: str = auth_header.split(" ")[1]
         claims: dict[str, Any] = jwt_validate_token(token=token,
                                                     nature="A")
@@ -143,6 +144,7 @@ def jwt_validate_token(token: str,
     then the cryptographic key needed for validation will be obtained from the token database.
     Otherwise, the current decoding key is used.
 
+    Validation operations require access to a database table defined by *JWT_DB_TABLE*.
     On success, return the token's claims (*header* and *payload*), as documented in *jwt_get_claims()*
     On failure, *errors* will contain the reason(s) for rejecting *token*.
 
@@ -224,14 +226,17 @@ def jwt_validate_token(token: str,
                 #   InvalidIssuedAtError: 'iat' claim is non-numeric
                 #   MissingRequiredClaimError: a required claim is not contained in the claimset
                 payload: dict[str, Any] = jwt.decode(jwt=token,
+                                                     key=token_decoder,
+                                                     algorithms=token_alg,
                                                      options={
-                                                         "verify_signature": True,
+                                                         "require": ["iat", "iss", "exp", "sub"],
+                                                         "verify_aud": False,
                                                          "verify_exp": True,
-                                                         "verify_nbf": True
-                                                     },
-                                                     key=token_decoder,
-                                                     require=["iat", "iss", "exp", "sub"],
-                                                     algorithms=token_alg)
+                                                         "verify_iat": True,
+                                                         "verify_iss": False,
+                                                         "verify_nbf": True,
+                                                         "verify_signature": True
+                                                     })
                 if account_id and payload.get("sub") != account_id:
                     if logger:
                         logger.error(msg=f"Token does not belong to account '{account_id}'")
@@ -505,7 +510,7 @@ def jwt_refresh_tokens(account_id: str,
 
 def jwt_get_claims(token: str,
                    errors: list[str] = None,
-                   logger: Logger = None) -> dict[str, Any] | None:
+                   logger: Logger = None) -> dict[str, dict[str, Any]] | None:
     """
     Retrieve the claims set of a JWT *token*.
 
@@ -520,8 +525,6 @@ def jwt_get_claims(token: str,
           "kid": "A1234"
         },
         "payload": {
-          "valid-from": <YYYY-MM-DDThh:mm:ss+00:00>
-          "valid-until": <YYYY-MM-DDThh:mm:ss+00:00>
           "birthdate": "1980-01-01",
           "email": "jdoe@mail.com",
           "exp": 1516640454,
@@ -539,13 +542,13 @@ def jwt_get_claims(token: str,
         }
       }
 
-    :param token: the token to be inspected for claims
+    :param token: the reference token
     :param errors: incidental error messages
     :param logger: optional logger
     :return: the token's claimset, or *None* if error
     """
     # initialize the return variable
-    result: dict[str, Any] | None = None
+    result: dict[str, dict[str, Any]] | None = None
 
     if logger:
         logger.debug(msg="Retrieve claims for token")
@@ -562,8 +565,113 @@ def jwt_get_claims(token: str,
         exc_err: str = exc_format(exc=e,
                                   exc_info=sys.exc_info())
         if logger:
-            logger.error(msg=f"Error retrieving the token's claimsn: {exc_err}")
+            logger.error(msg=f"Error retrieving the token's claims: {exc_err}")
         if isinstance(errors, list):
             errors.append(exc_err)
 
     return result
+
+
+def jwt_get_public_key(token: str,
+                       fmt: Literal["DER", "PEM"] = None,
+                       errors: list[str] = None,
+                       logger: Logger = None) -> dict[str, str] | str | None:
+    """
+    Obtain the public key used *token*.
+
+    This is accomplished by requesting the token issuer for its *JWKS* (JSON Web Key Set),
+    containing the public keys used for various purposes, as indicated in the attribute *use*:
+        - *enc*: the key is intended for encryption
+        - *sig*: the key is intended for digital signature
+        - *wrap*: the key is intended for key wrapping
+
+    A typical JWKS set has the following format (for simplicity, 'n' and 'x5c' are truncated):
+        {
+            "keys": [
+                {
+                    "kid": "X2QEcSQ4Tg2M2EK6s2nhRHZH_GwD_zxZtiWVwP4S0tg",
+                    "kty": "RSA",
+                    "alg": "RSA256",
+                    "use": "sig",
+                    "n": "tQmDmyM3tMFt5FMVMbqbQYpaDPf6A5l4e_kTVDBiHrK_bRlGfkk8hYm5SNzNzCZ...",
+                    "e": "AQAB",
+                    "x5c": [
+                        "MIIClzCCAX8CBgGZY0bqrTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARpanVk..."
+                    ],
+                    "x5t": "MHfVp4kBjEZuYOtiaaGsfLCL15Q",
+                    "x5t#S256": "QADezSLgD8emuonBz8hn8ghTnxo7AHX4NVNkr4luEhk"
+                },
+                ...
+            ]
+        }
+
+    The signature key is returned in its original *JWK* (JSON Web Key) format, or converted to
+    either *DER* (Distinguished Encoding Rules) or *PEM* (Privacy-Enhanced Mail) format, as per *ftm*.
+
+    :param token: the reference token
+    :param fmt: the returning key's format
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the public key in *JWT*, *DER*, or *PEM* format, or *None* if error
+    """
+    from pypomes_crypto import crypto_jwk_convert
+
+    # initialize the return variable
+    result: dict[str, str] | str | None = None
+
+    claims: dict[str, Any] = jwt_get_claims(token=token,
+                                            errors=errors,
+                                            logger=logger)
+    if not errors:
+        # obtain the JWKS (JSON Web Key Set) from the token issuer
+        issuer: str = claims["payload"].get("iss")
+        url: str = f"{issuer}/protocol/openid-connect/certs"
+        if logger:
+            logger.debug(msg=f"GET {url}")
+        try:
+            response: requests.Response = requests.get(url=url)
+            if response.status_code == 200:
+                # request succeeded
+                if logger:
+                    logger.debug(msg=f"GET success, status {response.status_code}")
+                # select the appropriate JWK
+                reply: dict[str, list[dict[str, str]]] = response.json()
+                jwk: dict[str, str] | None = None
+                for key in reply["keys"]:
+                    if key.get("use") == "sig":
+                        jwk = key
+                        break
+                if jwk:
+                    # convert from 'JWK' to 'PEM' and save it for further use
+                    if fmt in ["DER", "PEM"]:
+                        # noinspection PyTypeChecker
+                        result = crypto_jwk_convert(jwk=jwk,
+                                                    fmt=fmt)
+                    else:
+                        result = jwk
+                    if fmt and logger:
+                        logger.debug(f"Public key obtained for isuer '{issuer}'")
+                else:
+                    msg: str = (f"Signature public key missing from the JWKS "
+                                f"returned by the token issuer '{issuer}'")
+                    if logger:
+                        logger.error(msg=msg)
+                    if isinstance(errors, list):
+                        errors.append(msg)
+            elif logger:
+                msg: str = f"GET failure, status {response.status_code}, reason {response.reason}"
+                if hasattr(response, "content") and response.content:
+                    msg += f", content {response.content}"
+                logger.error(msg=msg)
+                if isinstance(errors, list):
+                    errors.append(msg)
+        except Exception as e:
+            # the operation raised an exception
+            msg = exc_format(exc=e,
+                             exc_info=sys.exc_info())
+            if logger:
+                logger.error(msg=msg)
+            if isinstance(errors, list):
+                errors.append(msg)
+
+    return result