JWT token auth for signing API (bug 1210889)

[kumar303]

This sets the foundation for JWT token auth. The rationale for using header tokens is in the bug (and linked discussion).

TODO:

• add a bunch of docstrings :)

[Nolski]

Why does this appear in both settings.py and lib/settings_base.py?

[kumar303]

settings.py, although the name is misleading, has a comment at the top saying that it's only for development settings. The lib/settings_base.py is the default for all configurations. By default there are no encryption keys so it will fail hard. I need to fix up this patch to configure some keys on each production setting file and also file an ops bug to generate the keys once this lands.

[andymckay]

Stupid question to check for due diligence etc: is this vulnerable to algo: none as per bug 1145024?

[kumar303]

is this vulnerable to algo: none

Not a stupid question at all! I did verify this. We only allow one algorithm here which is configurable and set right now to HMAC-SHA-256. When verifying the signature, PyJWT will only permit this algorithm.

[mstriemer]

Line 16 of apps/api/jwt_auth/handlers.py seems very similar but that uses APIKey.objects.get(key=key, type=SYMMETRIC_JWT_TYPE). Why the difference? Should there be a helper on APIKeyManager like APIKey.objects.get_key(key)?

[kumar303]

Ah, yes. I think a manager function would be really helpful here. The type= filter was my attempt at making APIKey re-usable for other (future) types of keys so I should definitely be doing APIKey.get_jwt_key() or something.

[mstriemer]

r+wc