[question] itsdangerous vs PyJWT?

[sloria]

Why use PyJWT instead of itsdangerous, which has an implementation of JWS?

[svenstaro]

For our flasky use case, one less dependency would certainly improve things.

+1

EDIT: Actually looking at this more thoroughly, it seems like PyJWT was the choice because it maps very closely to the function of this library. Using itsdangerous on the other hand would require more code on the side of flask-jwt which would be duplicating some of PyJWT's functionality. So all in all, using PyJWT seems sensible to me.

[sloria]

@svenstaro Can you elaborate on why itsdangerous would be any more complex than using PyJWT? The API for itsdangerous is very simple; seems like a simple change to flask-jwt's _default_encode_handler and _default_decode_handler, but I may be missing something.

[svenstaro]

itsdangerous doesn't seem to have token expiry handlers.

[sloria]

itsdangerous has the TimedJSONWebSignatureSerializer, which handles time-based expiry.

[svenstaro]

Oh, well I didn't know that. In that case the project might as well just switch to that one to reduce dependencies.

[sloria]

If the maintainers give a go-ahead on switching to itsdangerous, I would be willing to write a patch.

[mattupstate]

I'm up for removing the dependency. I was ignorant to JWS implementation available in itsdangerous.

[sloria]

I'll get started on a patch this weekend