fix(security): replace python-jose with PyJWT to eliminate ecdsa CVEs
Snyk scan found 3 High severity vulns: two in ecdsa (pulled by python-jose) and one in diskcache (pulled by pySigma, never imported). Remove both vulnerable dependencies and migrate JWT handling to PyJWT. Fix test_logout_revokes_token which broke because test stubs sys.modules[jose] with a MagicMock at collection time; test now uses PyJWT directly.
This commit is contained in:
kitos
+3
-3
@@ -2,7 +2,7 @@
|
||||
|
||||
This module provides pure functions for:
|
||||
- Hashing and verifying passwords using bcrypt via passlib.
|
||||
- Creating JWT access tokens using python-jose.
|
||||
- Creating JWT access tokens using PyJWT.
|
||||
- Managing a Redis-backed token blacklist for revocation.
|
||||
|
||||
No endpoints are defined here.
|
||||
@@ -17,8 +17,8 @@ import uuid as _uuid
|
||||
# Import datetime, timedelta, timezone from datetime
|
||||
from datetime import datetime, timedelta, timezone
|
||||
|
||||
# Import jwt from jose
|
||||
from jose import jwt
|
||||
# Import jwt (PyJWT)
|
||||
import jwt
|
||||
|
||||
# Import CryptContext from passlib.context
|
||||
from passlib.context import CryptContext
|
||||
|
||||
Reference in New Issue
Block a user