fastapi-auth0 icon indicating copy to clipboard operation
fastapi-auth0 copied to clipboard

Published 20 hours ago verified publisher icon dorinclisu

Switch from python-jose to pyjwt

Open siebediels opened this issue 1 year ago • 6 comments
trafficstars

Is there a plan to migrate from python-jose to pyjwt? Python-jose isn't maintained any more and contains some known vulnerabilities.

I noticed that there was some effort done in #41 , but not sure what happened to it. As an intermediate solution, we could perhaps move to python-jose[cryptography] which is already recommended above the default python-jose (with Python backend)?

siebediels avatar Apr 30 '24 14:04 siebediels

@siebediels i just tested locally these modifications in #41 and they just work out-of-the-box.

there could be some improvements regarding Pydantic-v2 but otherwise looks working (with valid tokens)

i'd just merge that one PR and go ahead

spawn-guy avatar Sep 10 '24 15:09 spawn-guy

if needed - i can make a PR. for now i have a working local version of code. just ask ;)

spawn-guy avatar Sep 11 '24 10:09 spawn-guy

aaight... lezz do this https://github.com/dorinclisu/fastapi-auth0/pull/43

spawn-guy avatar Sep 12 '24 15:09 spawn-guy

i've made some updates and some more fixes to the PR. enforced some verifications by default, unless a developer overrides them explicitly. now - i like it. lets wait for the @dorinclisu to come back to us

additionally, i'd like to remove the email namespace parsing. to get the email you need to call Auth0Management API directly. i think. also this is private data leak if one includes the email in tokens (so be careful)

spawn-guy avatar Sep 13 '24 10:09 spawn-guy

bump.

unfortunately, no activity on my PR :(

spawn-guy avatar Oct 01 '24 09:10 spawn-guy

finally, i got some time to publish something as requested

https://pypi.org/project/fastapi-auth0-pyjwt/

spawn-guy avatar Apr 09 '25 14:04 spawn-guy