fix(security): drop python-jose, use PyJWT (closes #128)#129
Conversation
python-jose pulls in `ecdsa`, which has two open advisories: - Minerva timing attack (no fix planned upstream) - Improper input validation (Dependabot blocked by parent constraint) Migrate ontokit/core/auth.py to PyJWT (already a direct dependency). Convert JWKS keys via `jwt.PyJWK(dict).key`; replace `JWTError` with `PyJWTError`. Removes ecdsa, pyasn1, rsa, six, python-jose, and the type stubs from the lockfile (7 packages). Closes #128 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Summary
python-josewithPyJWT(already a direct dependency) for JWT validation inontokit/core/auth.py.ecdsa,pyasn1,rsa,six,python-jose,types-python-jose,types-pyasn1.python-jose==3.5.0's constraint on the olderecdsa.Closes #128.
Changes
ontokit/core/auth.py—from jose import JWTError, jwt→import jwt+from jwt.exceptions import PyJWTError. JWKs are converted viajwt.PyJWK(rsa_key).keybefore passing tojwt.decode. Theexceptclause catchesPyJWTError.tests/unit/test_auth_core.py— replaceJWTErrorwithPyJWTErrorin the one test that mocked a decode failure.pyproject.toml— droppython-jose[cryptography]from runtime deps andtypes-python-josefrom dev deps..pre-commit-config.yaml— replacepython-jose/types-python-josemypy stubs withpyjwt(PyJWT ships its own stubs).uv.lock— regenerated.Why this is safe for our use case
We use JWTs in exactly one direction: validating Zitadel-issued access tokens with RS256 + JWKS rotation. PyJWT covers that path identically to python-jose. We don't use JWE, don't validate OIDC
at_hash, and don't issue JWTs ourselves — none of python-jose's broader feature surface applies here. See issue #128 comments for a fuller drawbacks/counter-positives breakdown.Test plan
pytest tests/ -v— 1515 passedmypy ontokit/— cleanruff check ontokit/— cleanecdsa,python-jose,pyasn1,rsa,sixno longer present inuv.lockjwt, so they don't catch real signature-verification differences between libs.🤖 Generated with Claude Code