import jwt as jwt_lib import time __all__ = ["Jwt", "JwtDecodeError"] class JwtDecodeError(Exception): pass class Jwt(object): """Base class for building a Json Web Token""" GENERATE = object() ALGORITHM = "HS256" def __init__( self, secret_key, issuer, subject=None, algorithm=None, nbf=GENERATE, ttl=3600, valid_until=None, ): self.secret_key = secret_key """:type str: The secret used to encode the JWT""" self.issuer = issuer """:type str: The issuer of this JWT""" self.subject = subject """:type str: The subject of this JWT, omitted from payload by default""" self.algorithm = algorithm or self.ALGORITHM """:type str: The algorithm used to encode the JWT, defaults to 'HS256'""" self.nbf = nbf """:type int: Time in secs since epoch before which this JWT is invalid. Defaults to now.""" self.ttl = ttl """:type int: Time to live of the JWT in seconds, defaults to 1 hour""" self.valid_until = valid_until """:type int: Time in secs since epoch this JWT is valid for. Overrides ttl if provided.""" self.__decoded_payload = None self.__decoded_headers = None def _generate_payload(self): """:rtype: dict the payload of the JWT to send""" raise NotImplementedError("Subclass must provide a payload.") def _generate_headers(self): """:rtype dict: Additional headers to include in the JWT, defaults to an empty dict""" return {} @classmethod def _from_jwt(cls, headers, payload, key=None): """ Class specific implementation of from_jwt which should take jwt components and return and instance of this Class with jwt information loaded. :return: Jwt object containing the headers, payload and key """ jwt = Jwt( secret_key=key, issuer=payload.get("iss", None), subject=payload.get("sub", None), algorithm=headers.get("alg", None), valid_until=payload.get("exp", None), nbf=payload.get("nbf", None), ) jwt.__decoded_payload = payload jwt.__decoded_headers = headers return jwt @property def payload(self): if self.__decoded_payload: return self.__decoded_payload payload = self._generate_payload().copy() payload["iss"] = self.issuer payload["exp"] = int(time.time()) + self.ttl if self.nbf is not None: if self.nbf == self.GENERATE: payload["nbf"] = int(time.time()) else: payload["nbf"] = self.nbf if self.valid_until: payload["exp"] = self.valid_until if self.subject: payload["sub"] = self.subject return payload @property def headers(self): if self.__decoded_headers: return self.__decoded_headers headers = self._generate_headers().copy() headers["typ"] = "JWT" headers["alg"] = self.algorithm return headers def to_jwt(self, ttl=None): """ Encode this JWT object into a JWT string :param int ttl: override the ttl configured in the constructor :rtype: str The JWT string """ if not self.secret_key: raise ValueError("JWT does not have a signing key configured.") headers = self.headers.copy() payload = self.payload.copy() if ttl: payload["exp"] = int(time.time()) + ttl return jwt_lib.encode( payload, self.secret_key, algorithm=self.algorithm, headers=headers ) @classmethod def from_jwt(cls, jwt, key=""): """ Decode a JWT string into a Jwt object :param str jwt: JWT string :param Optional[str] key: key used to verify JWT signature, if not provided then validation is skipped. :raises JwtDecodeError if decoding JWT fails for any reason. :return: A DecodedJwt object containing the jwt information. """ verify = True if key else False try: headers = jwt_lib.get_unverified_header(jwt) alg = headers.get("alg") if alg != cls.ALGORITHM: raise ValueError( f"Incorrect decoding algorithm {alg}, " f"expecting {cls.ALGORITHM}." ) payload = jwt_lib.decode( jwt, key, algorithms=[cls.ALGORITHM], options={ "verify_signature": verify, "verify_exp": True, "verify_nbf": True, }, ) except Exception as e: raise JwtDecodeError(getattr(e, "message", str(e))) return cls._from_jwt(headers, payload, key) def __str__(self): return "".format(self.to_jwt())