tina4-python 0.2.201__tar.gz → 0.2.202__tar.gz

{tina4_python-0.2.201 → tina4_python-0.2.202}/PKG-INFO

@@ -1,15 +1,13 @@
 Metadata-Version: 2.4
 Name: tina4-python
-Version: 0.2.201
+Version: 0.2.202
 Summary: Tina4Python - This is not another framework for Python
 Author-email: Andre van Zuydam <andrevanzuydam@gmail.com>
 Requires-Python: <4.0,>=3.12
 Requires-Dist: asyncer>=0.0.8
 Requires-Dist: bcrypt<5.0.0,>=4.2.1
-Requires-Dist: cryptography<45.0.0,>=44.0.0
 Requires-Dist: hypercorn>=0.18.0
 Requires-Dist: jinja2<4.0.0,>=3.1.5
-Requires-Dist: jurigged>=0.6.0
 Requires-Dist: libsass<0.24.0,>=0.23.0
 Requires-Dist: litequeue<0.10,>=0.9
 Requires-Dist: pyjwt<3.0.0,>=2.10.1
@@ -17,6 +15,24 @@ Requires-Dist: python-dotenv<2.0.0,>=1.0.1
 Requires-Dist: requests>=2.32.5
 Requires-Dist: simple-websocket<2.0.0,>=1.1.0
 Requires-Dist: watchdog<7.0.0,>=6.0.0
+Provides-Extra: all-db
+Requires-Dist: firebird-driver>=1.10.0; extra == 'all-db'
+Requires-Dist: mysql-connector-python>=9.3.0; extra == 'all-db'
+Requires-Dist: psycopg2-binary>=2.9.10; extra == 'all-db'
+Requires-Dist: pymongo>=4.0.0; extra == 'all-db'
+Requires-Dist: pymssql>=2.3.0; extra == 'all-db'
+Provides-Extra: dev-reload
+Requires-Dist: jurigged>=0.6.0; extra == 'dev-reload'
+Provides-Extra: firebird
+Requires-Dist: firebird-driver>=1.10.0; extra == 'firebird'
+Provides-Extra: mongo
+Requires-Dist: pymongo>=4.0.0; extra == 'mongo'
+Provides-Extra: mssql
+Requires-Dist: pymssql>=2.3.0; extra == 'mssql'
+Provides-Extra: mysql
+Requires-Dist: mysql-connector-python>=9.3.0; extra == 'mysql'
+Provides-Extra: postgres
+Requires-Dist: psycopg2-binary>=2.9.10; extra == 'postgres'
 Description-Content-Type: text/markdown
 
 # Tina4 Python — This is not a framework

{tina4_python-0.2.201 → tina4_python-0.2.202}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "tina4-python"
-version = "0.2.201"
+version = "0.2.202"
 description = "Tina4Python - This is not another framework for Python"
 authors = [
     {name = "Andre van Zuydam",email = "andrevanzuydam@gmail.com"}
@@ -11,8 +11,7 @@ dependencies = [
     "jinja2>=3.1.5,<4.0.0",
     "libsass (>=0.23.0,<0.24.0)",
     "python-dotenv (>=1.0.1,<2.0.0)",
-    "pyjwt (>=2.10.1,<3.0.0)",
-    "cryptography (>=44.0.0,<45.0.0)",
+    "pyjwt>=2.10.1,<3.0.0",
     "watchdog (>=6.0.0,<7.0.0)",
     "bcrypt (>=4.2.1,<5.0.0)",
     "litequeue (>=0.9,<0.10)",
@@ -20,11 +19,26 @@ dependencies = [
     "asyncer>=0.0.8",
     "hypercorn>=0.18.0",
     "requests>=2.32.5",
-    "jurigged>=0.6.0",
+]
+
+[project.optional-dependencies]
+dev-reload = ["jurigged>=0.6.0"]
+postgres  = ["psycopg2-binary>=2.9.10"]
+mysql     = ["mysql-connector-python>=9.3.0"]
+mssql     = ["pymssql>=2.3.0"]
+firebird  = ["firebird-driver>=1.10.0"]
+mongo     = ["pymongo>=4.0.0"]
+all-db    = [
+    "psycopg2-binary>=2.9.10",
+    "mysql-connector-python>=9.3.0",
+    "pymssql>=2.3.0",
+    "firebird-driver>=1.10.0",
+    "pymongo>=4.0.0",
 ]
 
 [dependency-groups]
 dev = [
+    "jurigged>=0.6.0",
     "flake8>=7.2.0",
     "mkdocs>=1.6.1",
     "mysql-connector-python>=9.3.0",

tina4_python-0.2.202/tina4_python/Auth.py

@@ -0,0 +1,236 @@
+#
+# Tina4 - This is not a 4ramework.
+# Copy-right 2007 - current Tina4
+# License: MIT https://opensource.org/licenses/MIT
+#
+# flake8: noqa: E501
+"""JWT authentication and password hashing for Tina4.
+
+Provides the ``Auth`` class which handles:
+    - HS256 JWT token creation and validation using the ``SECRET`` env var
+    - Configurable token expiry (default 2 minutes, override via
+      ``TINA4_TOKEN_LIMIT`` environment variable)
+    - Password hashing and verification using bcrypt
+    - Payload extraction from valid or expired tokens
+
+The framework creates a global ``tina4_python.tina4_auth`` instance at
+startup. Sessions, secured routes, and middleware all delegate to this
+instance for token operations.
+
+Example::
+
+    from tina4_python import tina4_auth
+
+    token = tina4_auth.get_token({"user_id": 42})
+    is_valid = tina4_auth.valid(token)
+    payload = tina4_auth.get_payload(token)
+    hashed = tina4_auth.get_password("secret")
+    ok = tina4_auth.check_password("secret", hashed)
+"""
+
+__all__ = ["Auth", "AuthJSONSerializer"]
+
+import datetime
+import os
+import jwt
+import bcrypt
+from json import JSONEncoder
+
+
+class AuthJSONSerializer(JSONEncoder):
+    """
+    Custom JSON encoder used by PyJWT when serializing payload objects.
+
+    Ensures that ``datetime.datetime`` instances are correctly converted to ISO-8601
+    strings so they can be embedded in JWT claims.
+    """
+
+    def default(self, o):
+        if isinstance(o, datetime.datetime):
+            return o.isoformat()
+        return super().default(o)
+
+
+class Auth:
+    """
+    Authentication & authorization helper for Tina4 projects.
+
+    Handles:
+      - Password hashing/verification (bcrypt)
+      - Signing JWT tokens with HS256 (SECRET env var)
+      - Verifying JWT tokens with HS256
+      - Simple API-KEY fallback validation
+
+    Environment variables used:
+        - ``SECRET``            → HMAC-SHA256 signing secret for JWT
+        - ``API_KEY``           → optional static API key (checked before JWT)
+        - ``TINA4_TOKEN_LIMIT`` → default token lifetime in minutes (default: 2)
+    """
+
+    secret: str | None = None
+    root_path: str = None
+
+    # ------------------------------------------------------------------
+    # Password handling (bcrypt)
+    # ------------------------------------------------------------------
+    def hash_password(self, text: str) -> str:
+        """
+        Generate a bcrypt hash for the given plain-text password.
+
+        Args:
+            text (str): Plain-text password.
+
+        Returns:
+            str: bcrypt hash (as UTF-8 string). Safe to store in a database.
+        """
+        password_bytes = text.encode("utf-8")
+        salt = bcrypt.gensalt()
+        return bcrypt.hashpw(password_bytes, salt).decode("utf-8")
+
+    def check_password(self, password_hash: str, text: str) -> bool:
+        """
+        Verify a plain-text password against a previously created bcrypt hash.
+
+        Args:
+            password_hash (str): Hash returned by :meth:`hash_password`.
+            text (str): Plain-text password to verify.
+
+        Returns:
+            bool: ``True`` if the password matches the hash.
+        """
+        password_bytes = text.encode("utf-8")
+        return bcrypt.checkpw(password_bytes, password_hash.encode("utf-8"))
+
+    # ------------------------------------------------------------------
+    # Constructor
+    # ------------------------------------------------------------------
+    def __init__(self, root_path: str):
+        """
+        Initialise the Auth helper.
+
+        Detects and removes legacy RS256 key files from older Tina4 installs,
+        printing a one-time migration notice when found.
+
+        Args:
+            root_path (str): Absolute path to the project root.
+        """
+        from tina4_python.Debug import Debug
+        from tina4_python import Messages
+
+        self.root_path = root_path
+        self.secret = os.environ.get("SECRET", "{self.secret}")
+        if self.secret == "{self.secret}":
+            Debug.warning(Messages.MSG_AUTH_NO_SECRET)
+
+        # ------------------------------------------------------------------
+        # One-time RS256 → HS256 migration: remove old key files if present
+        # ------------------------------------------------------------------
+        secrets_dir = os.path.join(root_path, "secrets")
+        legacy_files = [
+            os.path.join(secrets_dir, "private.key"),
+            os.path.join(secrets_dir, "public.key"),
+            os.path.join(secrets_dir, "domain.cert"),
+        ]
+        if any(os.path.isfile(f) for f in legacy_files):
+            for f in legacy_files:
+                if os.path.isfile(f):
+                    os.remove(f)
+            Debug.warning(Messages.MSG_AUTH_RS256_MIGRATION)
+
+    # ------------------------------------------------------------------
+    # JWT creation & verification (HS256)
+    # ------------------------------------------------------------------
+    def get_token(self, payload_data: dict, expiry_minutes: int = 0) -> str:
+        """
+        Create a signed JWT (HS256) containing the supplied payload.
+
+        If ``expires`` is not present in ``payload_data`` an expiration claim
+        will be added automatically using ``TINA4_TOKEN_LIMIT`` (default 2 minutes)
+        or the value supplied via ``expiry_minutes``.
+
+        Args:
+            payload_data (dict): Claims to embed in the token.
+            expiry_minutes (int): Override default token lifetime (0 = use env default).
+
+        Returns:
+            str: Signed JWT (compact serialization).
+        """
+        now = datetime.datetime.now(datetime.timezone.utc)
+
+        if "expires" not in payload_data:
+            token_limit_minutes = int(os.environ.get("TINA4_TOKEN_LIMIT", 2))
+            if expiry_minutes != 0:
+                token_limit_minutes = expiry_minutes
+            expiry_time = now + datetime.timedelta(minutes=token_limit_minutes)
+            payload_data["expires"] = expiry_time.isoformat()
+
+        token = jwt.encode(
+            payload=payload_data,
+            key=self.secret,
+            algorithm="HS256",
+            json_encoder=AuthJSONSerializer,
+        )
+        return token
+
+    def get_payload(self, token: str) -> dict | None:
+        """
+        Decode a JWT and return its payload (without verification of expiry).
+
+        Args:
+            token (str): JWT to decode.
+
+        Returns:
+            dict | None: Payload dictionary or ``None`` on invalid signature.
+        """
+        try:
+            payload = jwt.decode(
+                token,
+                key=self.secret,
+                algorithms=["HS256"],
+                options={"verify_exp": False},
+            )
+            return payload
+        except Exception:
+            return None
+
+    def validate(self, token: str) -> bool:
+        """
+        Full token validation.
+
+        Checks:
+          1. Optional static ``API_KEY`` environment variable (quick bypass)
+          2. HS256 signature using SECRET
+          3. Presence and validity of the ``expires`` claim
+
+        Args:
+            token (str): Bearer token.
+
+        Returns:
+            bool: ``True`` if the token is valid and not expired.
+        """
+        if os.environ.get("API_KEY") and token == os.environ.get("API_KEY"):
+            return True
+
+        try:
+            payload = jwt.decode(
+                token,
+                key=self.secret,
+                algorithms=["HS256"],
+                options={"verify_exp": False},
+            )
+
+            if "expires" not in payload:
+                return False
+
+            expiry_time = datetime.datetime.fromisoformat(payload["expires"])
+            if expiry_time.tzinfo is None:
+                expiry_time = expiry_time.replace(tzinfo=datetime.timezone.utc)
+
+            return datetime.datetime.now(datetime.timezone.utc) <= expiry_time
+
+        except Exception:  # noqa: BLE001
+            return False
+
+    def valid(self, token: str) -> bool:
+        """Alias of :meth:`validate`. Kept for backward compatibility."""
+        return self.validate(token)

{tina4_python-0.2.201 → tina4_python-0.2.202}/tina4_python/Messages.py

@@ -60,6 +60,7 @@ MSG_DB_UNIMPLEMENTED = _('Please implement {driver} in Database.py and make a pu
 
 # --- Auth messages ---
 MSG_AUTH_NO_SECRET = _('No SECRET env var set - using default secret. Set SECRET in your .env for production.')
+MSG_AUTH_RS256_MIGRATION = _('JWT upgraded RS256 → HS256: old key files removed, all existing tokens invalidated. This is a one-time migration.')
 
 # --- WebSocket messages ---
 MSG_WS_CREATE_ERROR = _('Error creating Websocket, perhaps you need to install simple_websocket ?')

tina4_python-0.2.201/tina4_python/Auth.py

@@ -1,354 +0,0 @@
-#
-# Tina4 - This is not a 4ramework.
-# Copy-right 2007 - current Tina4
-# License: MIT https://opensource.org/licenses/MIT
-#
-# flake8: noqa: E501
-"""JWT authentication and password hashing for Tina4.
-
-Provides the ``Auth`` class which handles:
-    - RS256 JWT token creation and validation using auto-generated
-      self-signed certificates (stored in the ``cert/`` directory)
-    - Configurable token expiry (default 24 hours, override via
-      ``TINA4_TOKEN_EXPIRES_IN`` environment variable)
-    - Password hashing and verification using bcrypt
-    - Payload extraction from valid or expired tokens
-
-The framework creates a global ``tina4_python.tina4_auth`` instance at
-startup. Sessions, secured routes, and middleware all delegate to this
-instance for token operations.
-
-Example::
-
-    from tina4_python import tina4_auth
-
-    token = tina4_auth.get_token({"user_id": 42})
-    is_valid = tina4_auth.valid(token)
-    payload = tina4_auth.get_payload(token)
-    hashed = tina4_auth.get_password("secret")
-    ok = tina4_auth.check_password("secret", hashed)
-"""
-
-__all__ = ["Auth", "AuthJSONSerializer"]
-
-import datetime
-import os
-import jwt
-import bcrypt
-from json import JSONEncoder
-from cryptography import x509
-from cryptography.x509 import NameOID
-from cryptography.hazmat.primitives import serialization, hashes
-from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.hazmat.backends import default_backend
-
-class AuthJSONSerializer(JSONEncoder):
-    """
-    Custom JSON encoder used by PyJWT when serializing payload objects.
-
-    Ensures that ``datetime.datetime`` instances are correctly converted to ISO-8601
-    strings so they can be embedded in JWT claims.
-    """
-
-    def default(self, o):
-        if isinstance(o, datetime.datetime):
-            return o.isoformat()
-        return super().default(o)
-
-
-class Auth:
-    """
-    Authentication & authorization helper for Tina4 projects.
-
-    Handles:
-      - Password hashing/verification (bcrypt)
-      - Automatic creation and loading of an RSA private/public key pair
-      - Self-signed certificate generation for local HTTPS development
-      - Signing JWT tokens with RS256 (private key)
-      - Verifying JWT tokens with RS256 (public key)
-      - Simple API-KEY fallback validation
-
-    Keys and certificates are stored in ``<root_path>/secrets/``:
-        - private.key   → encrypted PEM private key
-        - public.key    → PEM public key (unencrypted)
-        - domain.cert   → self-signed certificate (for local dev servers)
-
-    Environment variables used:
-        - ``SECRET``            → passphrase used to encrypt the private key
-        - ``API_KEY``           → optional static API key (checked before JWT)
-        - ``TINA4_TOKEN_LIMIT`` → default token lifetime in minutes (default: 2)
-        - Country/State/City/Organization/Domain variables for the cert
-    """
-
-    # ------------------------------------------------------------------
-    # Class-level attributes (set in __init__)
-    # ------------------------------------------------------------------
-    secret: str | None = None          # Passphrase for private key encryption
-    private_key: str = None            # Path to encrypted private key file
-    public_key: str = None             # Path to public key file
-    self_signed: str = None            # Path to self-signed cert file
-    root_path: str = None              # Project root directory
-
-    # Cached key objects (avoid reloading from disk on every request)
-    loaded_private_key = None
-    loaded_public_key = None
-
-    # ------------------------------------------------------------------
-    # Password handling (bcrypt)
-    # ------------------------------------------------------------------
-    def hash_password(self, text: str) -> str:
-        """
-        Generate a bcrypt hash for the given plain-text password.
-
-        Args:
-            text (str): Plain-text password.
-
-        Returns:
-            str: bcrypt hash (as UTF-8 string). Safe to store in a database.
-        """
-        password_bytes = text.encode("utf-8")
-        salt = bcrypt.gensalt()
-        return bcrypt.hashpw(password_bytes, salt).decode("utf-8")
-
-    def check_password(self, password_hash: str, text: str) -> bool:
-        """
-        Verify a plain-text password against a previously created bcrypt hash.
-
-        Args:
-            password_hash (str): Hash returned by :meth:`hash_password`.
-            text (str): Plain-text password to verify.
-
-        Returns:
-            bool: ``True`` if the password matches the hash.
-        """
-        password_bytes = text.encode("utf-8")
-        return bcrypt.checkpw(password_bytes, password_hash.encode("utf-8"))
-
-    # ------------------------------------------------------------------
-    # Private / public key loading (with caching)
-    # ------------------------------------------------------------------
-    def load_private_key(self):
-        """
-        Load (and cache) the RSA private key from ``secrets/private.key``.
-
-        The key is encrypted with the passphrase stored in ``self.secret``
-        (which comes from the environment variable ``SECRET``).
-
-        Returns:
-            cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey
-        """
-        if self.loaded_private_key:
-            return self.loaded_private_key
-
-        with open(self.private_key, "rb") as f:
-            private_key = serialization.load_pem_private_key(
-                f.read(),
-                password=self.secret.encode(),
-                backend=default_backend(),
-            )
-            self.loaded_private_key = private_key
-            return private_key
-
-    def load_public_key(self):
-        """
-        Load (and cache) the RSA public key from ``secrets/public.key``.
-
-        Returns:
-            cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey
-        """
-        if self.loaded_public_key:
-            return self.loaded_public_key
-
-        with open(self.public_key, "rb") as f:
-            public_key = serialization.load_pem_public_key(
-                f.read(), backend=default_backend()
-            )
-            self.loaded_public_key = public_key
-            return public_key
-
-    # ------------------------------------------------------------------
-    # Constructor – creates secrets folder & keys if missing
-    # ------------------------------------------------------------------
-    def __init__(self, root_path: str):
-        """
-        Initialise the Auth helper and ensure cryptographic material exists.
-
-        Args:
-            root_path (str): Absolute path to the project root (where the
-                             ``secrets`` folder will be created).
-        """
-        self.root_path = root_path
-        self.secret = os.environ.get("SECRET", "{self.secret}")
-        if self.secret == "{self.secret}":
-            from tina4_python.Debug import Debug
-            from tina4_python import Messages
-            Debug.warning(Messages.MSG_AUTH_NO_SECRET)
-        self.private_key = os.path.join(root_path, "secrets", "private.key")
-        self.public_key = os.path.join(root_path, "secrets", "public.key")
-        self.self_signed = os.path.join(root_path, "secrets", "domain.cert")
-
-        # Ensure secrets directory exists
-        os.makedirs(os.path.join(root_path, "secrets"), exist_ok=True)
-
-        # ------------------------------------------------------------------
-        # 1. Private key – generate if missing
-        # ------------------------------------------------------------------
-        if not os.path.isfile(self.private_key):
-            private_key = rsa.generate_private_key(
-                public_exponent=65537,
-                key_size=2048,
-            )
-            with open(self.private_key, "wb") as f:
-                f.write(private_key.private_bytes(
-                    encoding=serialization.Encoding.PEM,
-                    format=serialization.PrivateFormat.TraditionalOpenSSL,
-                    encryption_algorithm=serialization.BestAvailableEncryption(self.secret.encode()),
-                ))
-        else:
-            private_key = self.load_private_key()
-
-        # ------------------------------------------------------------------
-        # 2. Public key – derive from private key if missing
-        # ------------------------------------------------------------------
-        if not os.path.isfile(self.public_key):
-            public_key = private_key.public_key()
-            public_pem = public_key.public_bytes(
-                encoding=serialization.Encoding.PEM,
-                format=serialization.PublicFormat.SubjectPublicKeyInfo,
-            )
-            with open(self.public_key, "wb") as f:
-                f.write(public_pem)
-
-        # ------------------------------------------------------------------
-        # 3. Self-signed certificate (useful for local HTTPS servers)
-        # ------------------------------------------------------------------
-        if not os.path.isfile(self.self_signed):
-            subject = issuer = x509.Name(
-                [
-                    x509.NameAttribute(NameOID.COUNTRY_NAME, os.environ.get("COUNTRY", "ZA")),
-                    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, os.environ.get("STATE", "WESTERN CAPE")),
-                    x509.NameAttribute(NameOID.LOCALITY_NAME, os.environ.get("CITY", "CAPE TOWN")),
-                    x509.NameAttribute(NameOID.ORGANIZATION_NAME, os.environ.get("ORGANIZATION", "Tina4")),
-                    x509.NameAttribute(NameOID.COMMON_NAME, os.environ.get("DOMAIN_NAME", "localhost")),
-                ]
-            )
-            cert = (
-                x509.CertificateBuilder()
-                .subject_name(subject)
-                .issuer_name(issuer)
-                .public_key(private_key.public_key())
-                .serial_number(x509.random_serial_number())
-                .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
-                .not_valid_after(datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=99999))
-                .add_extension(x509.SubjectAlternativeName([x509.DNSName("localhost")]), critical=False)
-                .sign(private_key, hashes.SHA256())
-            )
-
-            with open(self.self_signed, "wb") as f:
-                f.write(cert.public_bytes(serialization.Encoding.PEM))
-
-    # ------------------------------------------------------------------
-    # JWT creation & verification
-    # ------------------------------------------------------------------
-    def get_token(self, payload_data: dict, expiry_minutes: int = 0) -> str:
-        """
-        Create a signed JWT (RS256) containing the supplied payload.
-
-        If ``expires`` is not present in ``payload_data`` an expiration claim
-        will be added automatically using ``TINA4_TOKEN_LIMIT`` (default 2 minutes)
-        or the value supplied via ``expiry_minutes``.
-
-        Args:
-            payload_data (dict): Claims to embed in the token.
-            expiry_minutes (int): Override default token lifetime (0 = use env default).
-
-        Returns:
-            str: Signed JWT (compact serialization).
-        """
-        private_key = self.load_private_key()
-        now = datetime.datetime.now(datetime.timezone.utc)
-
-        if "expires" not in payload_data:
-            token_limit_minutes = int(os.environ.get("TINA4_TOKEN_LIMIT", 2))
-            if expiry_minutes != 0:
-                token_limit_minutes = expiry_minutes
-            expiry_time = now + datetime.timedelta(minutes=token_limit_minutes)
-            payload_data["expires"] = expiry_time.isoformat()
-
-        token = jwt.encode(
-            payload=payload_data,
-            key=private_key,
-            algorithm="RS256",
-            json_encoder=AuthJSONSerializer,
-        )
-        return token
-
-    def get_payload(self, token: str) -> dict | None:
-        """
-        Decode a JWT and return its payload (without verification of expiry).
-
-        Used when you only need the claims and will perform your own validation.
-
-        Args:
-            token (str): JWT to decode.
-
-        Returns:
-            dict | None: Payload dictionary or ``None`` on invalid signature.
-        """
-        public_key = self.load_public_key()
-        try:
-            payload = jwt.decode(token, key=public_key, algorithms=["RS256"])
-            return payload
-        except Exception:
-            return None
-
-    def validate(self, token: str) -> bool:
-        """
-        Full token validation.
-
-        Checks:
-          1. Optional static ``API_KEY`` environment variable (quick bypass)
-          2. RS256 signature using the public key
-          3. Presence and validity of the ``expires`` claim
-
-        Args:
-            token (str): Bearer token.
-
-        Returns:
-            bool: ``True`` if the token is valid and not expired.
-        """
-        # Simple API-KEY fallback (useful for quick internal scripts)
-        if os.environ.get("API_KEY") and token == os.environ.get("API_KEY"):
-            return True
-
-        public_key = self.load_public_key()
-        try:
-            payload = jwt.decode(token, key=public_key, algorithms=["RS256"])
-
-            if "expires" not in payload:
-                return False
-
-            expiry_time = datetime.datetime.fromisoformat(payload["expires"])
-            if expiry_time.tzinfo is None:
-                # Treat naive datetime as UTC for backward compatibility
-                expiry_time = expiry_time.replace(tzinfo=datetime.timezone.utc)
-
-            return datetime.datetime.now(datetime.timezone.utc) <= expiry_time
-
-        except Exception:  # noqa: BLE001 – we intentionally catch everything here
-            return False
-
-    # ------------------------------------------------------------------
-    # Alias for backward compatibility
-    # ------------------------------------------------------------------
-    def valid(self, token: str) -> bool:
-        """
-        Alias of :meth:`validate`. Kept for older codebases.
-
-        Args:
-            token (str): Bearer token.
-
-        Returns:
-            bool: ``True`` if token is valid.
-        """
-        return self.validate(token)