Switch jwt library from 'jwt' to 'PyJWT'

Author: gbip

CHANGES.md

@@ -1,3 +1,8 @@
+1.0.4
+-----
+- switch jwt library to pyjwt
+
+
 1.0.3
 -----
 - fix drf spectacular schema generation

django_pyoidc/views.py

@@ -2,6 +2,8 @@
 from importlib import import_module
 from typing import Any, Dict, Optional, TypeVar, Union
 
+import jwt
+
 # import oic
 from django.conf import settings
 from django.contrib import auth, messages
@@ -13,8 +15,6 @@
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
-from jwt import JWT
-from jwt.exceptions import JWTDecodeError
 from oic.utils.http_util import BadRequest
 
 from django_pyoidc.client import OIDCClient
@@ -308,8 +308,9 @@ def post(self, request: HttpRequest) -> HttpResponse:
         result = HttpResponse("")
         try:
             body = request.body.decode("utf-8")[13:]
-            decoded = JWT().decode(body, do_verify=False)  # type: ignore[no-untyped-call] # jwt.JWT is not typed yet
-
+            # Here we do not perform validation because we assume that is later performed by
+            # `logout_sessions_by_sub`/`logout_sessions_by_sid` when calling pyoidc.
+            decoded = jwt.decode(body, options={"verify_signature": False})
             sid = decoded.get("sid")
             sub = decoded.get("sub")
             if sub:
@@ -329,7 +330,7 @@ def post(self, request: HttpRequest) -> HttpResponse:
                 result.status_code = 400
                 result.content = "Got invalid logout token : sub or sid is missing"
                 logger.debug("Got invalid logout token : sub or sid is missing")
-        except JWTDecodeError:
+        except jwt.PyJWTError:
             result.status_code = 400
         except UnicodeDecodeError as e:
             raise SuspiciousOperation(e)

pyproject.toml

@@ -37,7 +37,7 @@ dependencies = [
         "oic==1.7.0",
         "django>=3.2",
         "jsonpickle",
-        "jwt",
+        "pyjwt",
         "pycryptodomex",
 ]
 license-files = ['LICENSE']

requirements/requirements-dev.txt

@@ -2,34 +2,54 @@
 # This file is autogenerated by pip-compile with Python 3.8
 # by the following command:
 #
-#    pip-compile requirements/requirements-dev.in
+#    pip-compile --output-file=requirements/requirements-dev.txt requirements/requirements-dev.in
 #
+anyio==4.5.2
+    # via httpx
 asgiref==3.8.1
     # via
     #   -c requirements/requirements.txt
     #   django
     #   django-stubs
+backports-tarfile==1.2.0
+    # via jaraco-context
 backports-zoneinfo==0.2.1
     # via
     #   -c requirements/requirements.txt
     #   django
+black==24.8.0
+    # via -r requirements/requirements-dev.in
 build==1.2.2.post1
     # via pip-tools
-certifi==2024.12.14
+certifi==2025.1.31
     # via
     #   -c requirements/requirements.txt
+    #   httpcore
+    #   httpx
     #   requests
+cffi==1.17.1
+    # via
+    #   -c requirements/requirements.txt
+    #   cryptography
 cfgv==3.4.0
     # via pre-commit
 charset-normalizer==3.4.1
     # via
     #   -c requirements/requirements.txt
     #   requests
 click==8.1.8
-    # via pip-tools
+    # via
+    #   black
+    #   hatch
+    #   pip-tools
+    #   userpath
+cryptography==44.0.2
+    # via
+    #   -c requirements/requirements.txt
+    #   secretstorage
 distlib==0.3.9
     # via virtualenv
-django==4.2.18
+django==4.2.20
     # via
     #   -c requirements/requirements.txt
     #   django-stubs
@@ -38,37 +58,115 @@ django-stubs[compatible-mypy]==5.1.0
     # via
     #   -r requirements/requirements-dev.in
     #   djangorestframework-stubs
-django-stubs-ext==5.1.2
+django-stubs-ext==5.1.3
     # via django-stubs
 djangorestframework-stubs[compatible-mypy]==3.15.1
     # via -r requirements/requirements-dev.in
+exceptiongroup==1.2.2
+    # via anyio
 filelock==3.16.1
     # via virtualenv
+flake8==7.1.2
+    # via -r requirements/requirements-dev.in
+h11==0.14.0
+    # via httpcore
+hatch==1.14.0
+    # via -r requirements/requirements-dev.in
+hatchling==1.27.0
+    # via hatch
+httpcore==1.0.7
+    # via httpx
+httpx==0.28.1
+    # via hatch
+hyperlink==21.0.0
+    # via hatch
 identify==2.6.1
     # via pre-commit
 idna==3.10
     # via
     #   -c requirements/requirements.txt
+    #   anyio
+    #   httpx
+    #   hyperlink
     #   requests
 importlib-metadata==8.5.0
-    # via build
+    # via
+    #   build
+    #   keyring
+importlib-resources==6.4.5
+    # via
+    #   -c requirements/requirements.txt
+    #   keyring
+isort==5.13.2
+    # via -r requirements/requirements-dev.in
+jaraco-classes==3.4.0
+    # via keyring
+jaraco-context==6.0.1
+    # via keyring
+jaraco-functools==4.1.0
+    # via keyring
+jeepney==0.9.0
+    # via
+    #   keyring
+    #   secretstorage
+keyring==25.5.0
+    # via hatch
+markdown-it-py==3.0.0
+    # via rich
+mccabe==0.7.0
+    # via flake8
+mdurl==0.1.2
+    # via markdown-it-py
+more-itertools==10.5.0
+    # via
+    #   jaraco-classes
+    #   jaraco-functools
 mypy==1.11.2
     # via
     #   -r requirements/requirements-dev.in
     #   django-stubs
     #   djangorestframework-stubs
 mypy-extensions==1.0.0
-    # via mypy
+    # via
+    #   black
+    #   mypy
 nodeenv==1.9.1
     # via pre-commit
 packaging==24.2
-    # via build
+    # via
+    #   black
+    #   build
+    #   hatch
+    #   hatchling
+pathspec==0.12.1
+    # via
+    #   black
+    #   hatchling
+pexpect==4.9.0
+    # via hatch
 pip-tools==7.4.1
     # via -r requirements/requirements-dev.in
 platformdirs==4.3.6
-    # via virtualenv
+    # via
+    #   black
+    #   hatch
+    #   virtualenv
+pluggy==1.5.0
+    # via hatchling
 pre-commit==3.5.0
     # via -r requirements/requirements-dev.in
+ptyprocess==0.7.0
+    # via pexpect
+pycodestyle==2.12.1
+    # via flake8
+pycparser==2.22
+    # via
+    #   -c requirements/requirements.txt
+    #   cffi
+pyflakes==3.2.0
+    # via flake8
+pygments==2.19.1
+    # via rich
 pyproject-hooks==1.2.0
     # via
     #   build
@@ -81,18 +179,32 @@ requests==2.32.3
     # via
     #   -c requirements/requirements.txt
     #   djangorestframework-stubs
-ruff==0.9.1
-    # via -r requirements/requirements-dev.in
+rich==14.0.0
+    # via hatch
+secretstorage==3.3.3
+    # via keyring
+shellingham==1.5.4
+    # via hatch
+sniffio==1.3.1
+    # via anyio
 sqlparse==0.5.3
     # via
     #   -c requirements/requirements.txt
     #   django
 tomli==2.2.1
     # via
+    #   black
     #   build
     #   django-stubs
+    #   hatchling
     #   mypy
     #   pip-tools
+tomli-w==1.0.0
+    # via hatch
+tomlkit==0.13.2
+    # via hatch
+trove-classifiers==2025.3.19.19
+    # via hatchling
 types-docutils==0.21.0.20241128
     # via types-pygments
 types-markdown==3.7.0.20241204
@@ -109,27 +221,39 @@ types-requests==2.32.0.20241016
     # via djangorestframework-stubs
 types-setuptools==75.8.0.20250110
     # via types-pygments
-typing-extensions==4.12.2
+typing-extensions==4.13.0
     # via
     #   -c requirements/requirements.txt
+    #   anyio
     #   asgiref
+    #   black
     #   django-stubs
     #   django-stubs-ext
     #   djangorestframework-stubs
     #   mypy
+    #   rich
 urllib3==2.2.3
     # via
     #   -c requirements/requirements.txt
     #   requests
     #   types-requests
-virtualenv==20.29.0
-    # via pre-commit
+userpath==1.9.2
+    # via hatch
+uv==0.6.11
+    # via hatch
+virtualenv==20.30.0
+    # via
+    #   hatch
+    #   pre-commit
 wheel==0.45.1
     # via pip-tools
 zipp==3.20.2
     # via
     #   -c requirements/requirements.txt
     #   importlib-metadata
+    #   importlib-resources
+zstandard==0.23.0
+    # via hatch
 
 # The following packages are considered to be unsafe in a requirements file:
 # pip