pyjwt
pyjwt copied to clipboard
jpadilla
sharing namespace jwt conflict, is this possible to prevent, pip install pyJWT give no warning
Our testcontainers suddely all failed with similar errors after last build:
I suspect some of the other modules have poisoned the jwt namespace.
Expected Result
jwt.decode() should exists
Actual Result
tests/test_03_scim_tokensecurity.py:51: in test01_token_security
log.info(f"access_token for tenant:{tenant1}: {tools.scim.decode_access_token(access_token=access_token, expire=True)}")
tools/scim.py:111: in decode_access_token
atd = jwt.decode(access_token, options={"verify_signature": False})
E AttributeError: module 'jwt' has no attribute 'decode'
Reproduction Steps
Fix was to uninstall and install pyJWT, the jwt namespace is quite empty (no decode and encode)? something else installed into namespace jwt?
Status: Downloaded newer image xxx.yyy.zzz:4567/id-pro/fido2/multitenant-fullstack-test/multitenant-fullstack-test-chrome:latest
(base) root@f84d1b657677:/test/multitenant-fullstack-test# python
Python 3.12.1 (main, Jan 11 2024, 15:16:36) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import jwt
>>> jwt.__version__
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AttributeError: module 'jwt' has no attribute '__version__'
>>> dir(jwt)
['AbstractJWKBase', 'AbstractSigningAlgorithm', 'JWKSet', 'JWT', '__all__', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__path__', '__spec__', 'exceptions', 'jwa', 'jwk', 'jwk_from_bytes', 'jwk_from_der', 'jwk_from_dict', 'jwk_from_pem', 'jwkset', 'jws', 'jwt', 'std_hash_by_alg', 'supported_key_types', 'supported_signing_algorithms', 'utils']
>>> exit()
(base) root@f84d1b657677:/test/multitenant-fullstack-test# pip install pyJWT --upgrade
Requirement already satisfied: pyJWT in /root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages (2.8.0)
(base) root@f84d1b657677:/test/multitenant-fullstack-test# pip uninstall pyJWT
Found existing installation: PyJWT 2.8.0
Uninstalling PyJWT-2.8.0:
Would remove:
/root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/PyJWT-2.8.0.dist-info/*
/root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/*
Would not remove (might be manually added):
/root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/jwa.py
/root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/jwk.py
/root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/jwkset.py
/root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/jws.py
/root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/jwt.py
Proceed (Y/n)? Y
Successfully uninstalled PyJWT-2.8.0
(base) root@f84d1b657677:/test/multitenant-fullstack-test# pip install pyJWT --upgrade
Collecting pyJWT
Using cached PyJWT-2.8.0-py3-none-any.whl.metadata (4.2 kB)
Using cached PyJWT-2.8.0-py3-none-any.whl (22 kB)
Installing collected packages: pyJWT
Successfully installed pyJWT-2.8.0
(base) root@f84d1b657677:/test/multitenant-fullstack-test# python
Python 3.12.1 (main, Jan 11 2024, 15:16:36) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import jwt
>>> jwt.__version__
'2.8.0'
windows11 and ubuntu 22.04LTS
The question is which package initially poisoned it? no mentioning of any other jwt package here?
(base) root@6bf639ed0df9:/test/multitenant-fullstack-test# pip list
Package Version Editable project location
-------------------------- ------------ --------------------------------
aenum 3.1.15
aiohttp 3.9.1
aiosignal 1.3.1
allure-pytest 2.13.2
allure-python-commons 2.13.2
ansi2html 1.9.1
attrs 23.2.0
Authlib 1.2.0
beautifulsoup4 4.12.3
certifi 2023.11.17
cffi 1.16.0
charset-normalizer 3.3.2
click 8.1.7
colorama 0.4.6
coverage 7.4.0
cryptography 41.0.7
curlify 2.2.1
deepdiff 6.7.1
dill 0.3.7
dparse 0.6.4b0
elastic-transport 8.11.0
elasticsearch 8.11.1
flatten-dict 0.4.2
frozenlist 1.4.1
h11 0.14.0
headless-selenium-test 0.1 /test/headless-selenium-test
idna 3.6
iniconfig 2.0.0
Jinja2 3.1.3
jsonschema 4.21.0
jsonschema-specifications 2023.12.1
jwt 1.3.1
ldap3 2.9.1
Levenshtein 0.23.0
markdown-it-py 3.0.0
MarkupSafe 2.1.3
marshmallow 3.20.2
mdurl 0.1.2
multidict 6.0.4
multitenant-fullstack-test 0.1 /test/multitenant-fullstack-test
ordered-set 4.1.0
outcome 1.3.0.post0
packaging 23.0
pillow 10.2.0
pip 23.3.2
pluggy 1.3.0
psutil 5.9.7
py 1.11.0
pyasn1 0.5.1
pycparser 2.21
pydantic 1.10.13
Pygments 2.17.2
PyJWT 2.8.0
PySocks 1.7.1
pytest 7.4.4
pytest-cov 4.1.0
pytest-html 0.1.dev418
pytest-metadata 3.0.0
pytest-reportportal 5.3.1
python-dateutil 2.8.2
python-Levenshtein 0.23.0
pytz 2023.3.post1
rapidfuzz 3.6.1
referencing 0.32.1
reportportal-client 5.5.4
requests 2.31.0
rich 13.7.0
rpds-py 0.17.1
ruamel.yaml 0.18.5
ruamel.yaml.clib 0.2.8
safety 3.0.0
safety-schemas 0.0.1
selenium 4.16.0
setuptools 69.0.3
six 1.16.0
snaptime 0.2.4
sniffio 1.3.0
sortedcontainers 2.4.0
soupsieve 2.5
thefuzz 0.20.0
trio 0.24.0
trio-websocket 0.11.1
typer 0.9.0
typing_extensions 4.9.0
tzlocal 5.2
urllib3 2.1.0
wsproto 1.2.0
yarl 1.9.4
help(jwt) show that this module has been installed: https://pypi.org/project/jwt/,
Troublesome sharing namespace
it is jwt that do not go well with pyJWT, it is installen by an update of Safety:
#13 63.06 Collecting jwt==1.3.1 (from safety>=2.1.1->multitenant-fullstack-test==0.1)
#13 63.07 Downloading jwt-1.3.1-py3-none-any.whl (18 kB)
Is there a way to mark this incompatible with your module since you are sharing namespace.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}