search

georgemarshall / django-cryptography

Easily encrypt data in Django
https://django-cryptography.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
371 stars 69 forks source link

Django 5.0 warnings: baseconv is deprecated #74

Open MrCocoDev opened 2 years ago

MrCocoDev commented 2 years ago 
RemovedInDjango50Warning: The django.utils.baseconv module is deprecated.
    from django.utils import baseconv

https://code.djangoproject.com/ticket/32712

# django_cryptography/core/signing.py
- from django.utils import baseconv
+ from django.core.signing import b62_encode, b62_decode
MrCocoDev commented 2 years ago

I can't create a PR for this repo but here is the diff:

diff --git a/django_cryptography/core/signing.py b/django_cryptography/core/signing.py
index 73ccc7f..c64f526 100644
--- a/django_cryptography/core/signing.py
+++ b/django_cryptography/core/signing.py
@@ -17,7 +17,7 @@ from django.core.signing import (
     b64_encode,
     get_cookie_signer,
 )
-from django.utils import baseconv
+from django.core.signing import b62_encode, b62_decode
 from django.utils.encoding import force_bytes, force_str

 from ..utils.crypto import constant_time_compare, salted_hmac
@@ -138,7 +138,7 @@ class Signer:

 class TimestampSigner(Signer):
     def timestamp(self):
-        return baseconv.base62.encode(int(time.time()))
+        return b62_encode(int(time.time()))

     def sign(self, value):
         value = force_str(value)
@@ -152,7 +152,7 @@ class TimestampSigner(Signer):
         """
         result = super().unsign(value)
         value, timestamp = result.rsplit(self.sep, 1)
-        timestamp = baseconv.base62.decode(timestamp)
+        timestamp = b62_decode(timestamp)
         if max_age is not None:
             if isinstance(max_age, datetime.timedelta):
                 max_age = max_age.total_seconds()
georgemarshall commented 2 years ago

I am going to sit on this for now, as I have been re-working the code to add type information. Django 5.0 isn't set to be release until December 2023o over a full year from now.

The unfortunate part is Django 3.2 will still be supported until April 2024. So a compatibility shims will be needed, or Django 3.2 support will be dropped once Django 5.0 is released.

rburhum commented 8 months ago

Getting close to that December date :-)

MrCocoDev commented 8 months ago

@georgemarshall , would this not be as easy as:

try:
    from django.core.signing import b62_encode as encode
    from django.core.signing import b62_decode as decode
except ImportError:
    from django.utils import baseconv
    encode = baseconv.base62.encode
    decode = baseconv.base62.decode

...

 class TimestampSigner(Signer):
     def timestamp(self):
-        return baseconv.base62.encode(int(time.time()))
+        return encode(int(time.time()))

     def sign(self, value):
         value = force_str(value)
@@ -152,7 +152,7 @@ class TimestampSigner(Signer):
         """
         result = super().unsign(value)
         value, timestamp = result.rsplit(self.sep, 1)
-        timestamp = baseconv.base62.decode(timestamp)
+        timestamp = decode(timestamp)
         if max_age is not None:
             if isinstance(max_age, datetime.timedelta):
                 max_age = max_age.total_seconds()

Using try:except: to handle compatibility through imports is pretty powerful, and its easy to cleanup when the compatibility is no longer needed.

jameslao commented 7 months ago

Django 5.0 release is around the corner... any plan to fix this?

saurav-codes commented 7 months ago

Django 5 is released and i am having this error -

  File "/Users/sauravsharma/Developer/work/TPA/worktree_archipay/django-5-upgrades/env/lib/python3.10/site-packages/django_cryptography/core/signing.py", line 20, in <module>
    from django.utils import baseconv
ImportError: cannot import name 'baseconv' from 'django.utils'
saurav-codes commented 7 months ago

alright, i fixed the issue.

initially i tried with pip install --upgrade django-cryptography but that didn't update the package so then i tried to install it with git repo but then it doesn't install it correctly. the core folder was missing. finally at the last above method works.

It seems the issue may be related to the package configuration for installation directly from the repository. The setup.py or pyproject.toml may not be including necessary sub-packages or dependencies for a correct install.

saurav-codes commented 7 months ago

i found the issue in setup.cfg. after this change, i can directly install from the repo and the subfolders ( the core folder ) is also included now. idk may be this may not be issue as i am unaware of the third party package code structure but since this change solves the issue, i created a PR here #106

alexander-schillemans commented 7 months ago

The 1.1 release on PyPi does not include the updated import statements in the core/signing.py which is throwing errors. @georgemarshall Any chance you can push the new version to PyPi?

saurav-codes commented 7 months ago

As of now for those who are having issues can do -

pip install "git+https://github.com/saurav-codes/django-cryptography"

jmaddington commented 6 months ago

As of now for those who are having issues can do -

pip install "git+https://github.com/saurav-codes/django-cryptography"

This is for Django 5.0? As opposed to the comment that MrSage made above?

MrCocoDev commented 6 months ago

Just as a general note, using an unmaintained cryptography library is probably not a good idea. I found some of the patterns shared here were quite extensible and dodged the problem:

https://www.piiano.com/blog/field-level-encryption-in-python-for-django-applications

jmaddington commented 6 months ago

As in you used approach 1 or 2 there?

iyedeisaiah commented 6 months ago

I reverted to django 4.1.3 and this solved the issue. Warning though other dependecies that depend on django 5.0 like crispy forms, django_q would have to be updated accordingly

vitaliyf commented 6 months ago

This change was already merged to master of this repository as part of https://github.com/georgemarshall/django-cryptography/pull/97 - just hasn't been released to PyPi yet. I opened https://github.com/georgemarshall/django-cryptography/pull/108 to perhaps make that easier.

Redowan-Ahmed commented 5 months ago

I'm using Django 5.0, To use the Django_cyptography, Currently, I'm using this command because the Pypy is not updated yet pip install "git+https://github.com/saurav-codes/django-cryptography"

vhalis commented 5 months ago

The change in #106 is required for installing from pip. Thanks @saurav-codes for the alternative for now and for the PR!

For those looking for the fix but want to be safe if you need to use a requirements file, you can pin to the commit hash:

django-cryptography @ git+https://github.com/saurav-codes/django-cryptography.git@ac210338dd2c84a410452e0b8e18ddee43f1920f

For pip above version 20.1

adrenaline681 commented 3 months ago

Any update? Its already been over 3 months since Django 5 got released and we still can't install django-cryptography properly

kirienko commented 1 month ago

It seems that this issue is solved in #97 and therefore can be closed.

chrisclark commented 1 month ago

The issue is that there is no release that has been made -- not that it is not resolved in the code.

adrenaline681 commented 1 month ago

The issue is that there is no release that has been made -- not that it is not resolved in the code.

Yes, please can we get a new release with these changes?

chrisclark commented 1 month ago

Concretely -- if a package depends on django-cryptography and that package wants to release to pypi, it can't happen without a release of this change first. A pinned github hash in the requirements will be rejected from pypi.

chrisclark commented 1 month ago

I have forked the project, updated some dependencies, and published on pypi here: https://pypi.org/project/django-cryptography-django5/

You can see the fork (and the code) here: https://github.com/chrisclark/django-cryptography/

Feel free to pip install that version for anyone who needs it. Hopefully the changes can be brought into the official project soon. I hate to maintain a weird fork like this.

Simply: pip install django-cryptography-django5==2.2

redblacktree commented 1 month ago

Can we please get a comment from the authors on the pypi release? What is preventing this from happening? Do you need help resolving some issues?

MrCocoDev commented 1 month ago

Open source projects are created and abandoned all the time. Forking the repo and petitioning Pypi for the original name doesn’t seem so farfetched to me.

chrisclark commented 1 month ago

Open source projects are created and abandoned all the time. Forking the repo and petitioning Pypi for the original name doesn’t seem so farfetched to me.

I agree in theory, but in practice I don’t intend on maintaining this indefinitely; if someone wants to pick up the mantle that would be great but it ain’t me, hah! This was easy since I was just updating some dependencies and incorporating changes others had already proposed. But I don’t know the codebase and certainly don’t have the expertise to be touching a bunch of crypto stuff. I promise no one wants me doing that :)

ailandini-accenture commented 1 month ago

Did anyone here switch to a different cryptology package? I'm having a lot of trouble finding one that is explicitly Django 5.0 compatible and actively maintained.

pataquets commented 4 weeks ago

On a cursory status check, maintainer seems quite unresponsive lately (which is understandable, since he has no obligation, keep in mind) and I'm wondering if he might be swamped by work, lost interest, not getting notifications or anything else. Sometimes it's just a newborn baby, which understandably pushes projects aside :smile:. I wonder if he might use some help (e.g. appointing co-mainteiners) or want to hand off project maintenance if he's lost interest/not using it anymore, which is perfectly fine. So, I'm pinging @georgemarshall directly to increasing odds the notification finds its way and letting him know there is people interested who might want to step in to keep the project alive (thumb-up this comment to voice your interest). Just a quick note about reasonable expectations will be enough to make everyone aware and proceed forward. I'll leave this comment for a while before opening a typical "Project maintenance status" issue (which it might be necessary anyway). I've had some success reviving/keeping projects alive this way in the past, and no doubt this one deserves better than just fade away silently, given the user base (read: potential candidate [co-]maintainers).

@georgemarshall Also, creating a Github organization and transferring the project might be an easy/useful first step for later adding [co-]maintainers you deem trustworthy. In any case, thanks for considering and also thanks for sharing your work. Hope you're doing well.

iklobato commented 2 weeks ago

Django5 need some general fixes at django_q/core_signing.py, downgrade to latest LTS version:

pip install -U Django==4.2