GitLocker: The Coding Marketplace

Description:

pythonjwt 4.1.0

python-jwt
Module for generating and verifying JSON Web Tokens.
All versions of python-jwt are now DEPRECATED. I don't have the time to maintain this module.

Note: Versions 3.3.4 and later fix a vulnerability (CVE-2022-39227) in JSON Web Token verification which lets an attacker with a valid token re-use its signature with modified claims. CVE to follow. Please upgrade!
Note: From version 2.0.1 the namespace has changed from jwt to python_jwt, in order to avoid conflict with PyJWT.
Note: Versions 1.0.0 and later fix a vulnerability in JSON Web Token verification so please upgrade if you're using this functionality. The API has changed so you will need to update your application. verify_jwt now requires you to specify which signature algorithms are allowed.
Uses jwcrypto to do the heavy lifting.
Supports RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512, ES256K, EdDSA and none signature algorithms.
Unit tests, including tests for interoperability with jose.
Supports Python 3.6+. Note: generate_jwt returns the token as a Unicode string.

Example:
import python_jwt as jwt, jwcrypto.jwk as jwk, datetime
key = jwk.JWK.generate(kty='RSA', size=2048)
payload = { 'foo': 'bar', 'wup': 90 };
token = jwt.generate_jwt(payload, key, 'PS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, key, ['PS256'])
for k in payload: assert claims[k] == payload[k]

The API is described here.
Installation
pip install python_jwt

Another Example
You can read and write keys from and to PEM-format strings:
import python_jwt as jwt, jwcrypto.jwk as jwk, datetime
key = jwk.JWK.generate(kty='RSA', size=2048)
priv_pem = key.export_to_pem(private_key=True, password=None)
pub_pem = key.export_to_pem()
payload = { 'foo': 'bar', 'wup': 90 };
priv_key = jwk.JWK.from_pem(priv_pem)
pub_key = jwk.JWK.from_pem(pub_pem)
token = jwt.generate_jwt(payload, priv_key, 'RS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, pub_key, ['RS256'])
for k in payload: assert claims[k] == payload[k]

Licence
MIT
Tests
make test

Lint
make lint

Code Coverage
make coverage

coverage.py results are available here.
Coveralls page is here.
Benchmarks
make bench

Here are some results on a laptop with an Intel Core i5-4300M 2.6Ghz CPU and 8Gb RAM running Ubuntu 17.04.

Generate Key
user (ns)
sys (ns)
real (ns)

RSA
103,100,000
200,000
103,341,537

Generate Token
user (ns)
sys (ns)
real (ns)

HS256
220,000
0
226,478

HS384
220,000
0
218,233

HS512
230,000
0
225,823

PS256
1,530,000
10,000
1,536,235

PS384
1,550,000
0
1,549,844

PS512
1,520,000
10,000
1,524,844

RS256
1,520,000
10,000
1,524,565

RS384
1,530,000
0
1,528,074

RS512
1,510,000
0
1,526,089

Load Key
user (ns)
sys (ns)
real (ns)

RSA
210,000
3,000
210,791

Verify Token
user (ns)
sys (ns)
real (ns)

HS256
100,000
0
101,478

HS384
100,000
10,000
103,014

HS512
110,000
0
104,323

PS256
230,000
0
231,058

PS384
240,000
0
237,551

PS512
240,000
0
232,450

RS256
230,000
0
227,737

RS384
230,000
0
230,698

RS512
230,000
0
228,624