kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(security): replace python-jose with PyJWT to eliminate ecdsa CVEs

Browse Source 
Snyk scan found 3 High severity vulns: two in ecdsa (pulled by python-jose)
and one in diskcache (pulled by pySigma, never imported). Remove both
vulnerable dependencies and migrate JWT handling to PyJWT. Fix
test_logout_revokes_token which broke because test stubs sys.modules[jose]
with a MagicMock at collection time; test now uses PyJWT directly.
This commit is contained in:
kitos
2026-06-11 09:06:16 +02:00
parent d2a46feba8
commit 1f19bd8432
6 changed files with 18 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/auth.py
+3 -3
View File
@@ -2,7 +2,7 @@
This module provides pure functions for:
- Hashing and verifying passwords using bcrypt via passlib.
- Creating JWT access tokens using python-jose.
- Creating JWT access tokens using PyJWT.
- Managing a Redis-backed token blacklist for revocation.
No endpoints are defined here.
@@ -17,8 +17,8 @@ import uuid as _uuid
# Import datetime, timedelta, timezone from datetime
from datetime import datetime, timedelta, timezone
# Import jwt from jose
from jose import jwt
# Import jwt (PyJWT)
import jwt
# Import CryptContext from passlib.context
from passlib.context import CryptContext
backend/app/dependencies/auth.py
+4 -4
View File
@@ -19,8 +19,8 @@ from fastapi import Cookie, Depends, HTTPException, status
# Import OAuth2PasswordBearer from fastapi.security
from fastapi.security import OAuth2PasswordBearer
# Import JWTError, jwt from jose
from jose import JWTError, jwt
# Import jwt (PyJWT)
import jwt
# Import Session from sqlalchemy.orm
from sqlalchemy.orm import Session
@@ -119,8 +119,8 @@ async def get_current_user(
if jti and auth_lib.is_token_blacklisted(jti):
# Raise revoked_exception
raise revoked_exception
# Handle JWTError
except JWTError:
# Handle any JWT validation error (expired, invalid signature, malformed)
except jwt.exceptions.InvalidTokenError:
# Raise credentials_exception
raise credentials_exception
backend/app/routers/auth.py
+4 -4
View File
@@ -16,8 +16,8 @@ from fastapi import APIRouter, Cookie, Depends, Request, Response
# Import OAuth2PasswordRequestForm from fastapi.security
from fastapi.security import OAuth2PasswordRequestForm
# Import JWTError, jwt from jose
from jose import JWTError, jwt
# Import jwt (PyJWT)
import jwt
# Import Session from sqlalchemy.orm
from sqlalchemy.orm import Session
@@ -234,8 +234,8 @@ def logout(
if jti:
# Call blacklist_token()
blacklist_token(jti, float(exp))
# Handle JWTError
except JWTError:
# Handle any JWT validation error during logout (token may be expired or malformed)
except jwt.exceptions.InvalidTokenError:
# Intentional no-op placeholder
pass