search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
4.99k stars 676 forks source link

sharing namespace jwt conflict, is this possible to prevent, pip install pyJWT give no warning #938

Closed fenchu closed 3 months ago

fenchu commented 5 months ago

Our testcontainers suddely all failed with similar errors after last build:

I suspect some of the other modules have poisoned the jwt namespace.

Expected Result

jwt.decode() should exists

Actual Result

tests/test_03_scim_tokensecurity.py:51: in test01_token_security
    log.info(f"access_token for tenant:{tenant1}: {tools.scim.decode_access_token(access_token=access_token, expire=True)}")
tools/scim.py:111: in decode_access_token
    atd = jwt.decode(access_token, options={"verify_signature": False})
E   AttributeError: module 'jwt' has no attribute 'decode'

Reproduction Steps

Fix was to uninstall and install pyJWT, the jwt namespace is quite empty (no decode and encode)? something else installed into namespace jwt?

Status: Downloaded newer image xxx.yyy.zzz:4567/id-pro/fido2/multitenant-fullstack-test/multitenant-fullstack-test-chrome:latest
(base) root@f84d1b657677:/test/multitenant-fullstack-test# python
Python 3.12.1 (main, Jan 11 2024, 15:16:36) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import jwt
>>> jwt.__version__
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: module 'jwt' has no attribute '__version__'
>>> dir(jwt)
['AbstractJWKBase', 'AbstractSigningAlgorithm', 'JWKSet', 'JWT', '__all__', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__path__', '__spec__', 'exceptions', 'jwa', 'jwk', 'jwk_from_bytes', 'jwk_from_der', 'jwk_from_dict', 'jwk_from_pem', 'jwkset', 'jws', 'jwt', 'std_hash_by_alg', 'supported_key_types', 'supported_signing_algorithms', 'utils']
>>> exit()
(base) root@f84d1b657677:/test/multitenant-fullstack-test# pip install pyJWT --upgrade
Requirement already satisfied: pyJWT in /root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages (2.8.0)
(base) root@f84d1b657677:/test/multitenant-fullstack-test# pip uninstall pyJWT
Found existing installation: PyJWT 2.8.0
Uninstalling PyJWT-2.8.0:
  Would remove:
    /root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/PyJWT-2.8.0.dist-info/*
    /root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/*
  Would not remove (might be manually added):
    /root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/jwa.py
    /root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/jwk.py
    /root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/jwkset.py
    /root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/jws.py
    /root/.pyenv/versions/3.12.1/envs/base/lib/python3.12/site-packages/jwt/jwt.py
Proceed (Y/n)? Y
  Successfully uninstalled PyJWT-2.8.0
(base) root@f84d1b657677:/test/multitenant-fullstack-test# pip install pyJWT --upgrade
Collecting pyJWT
  Using cached PyJWT-2.8.0-py3-none-any.whl.metadata (4.2 kB)
Using cached PyJWT-2.8.0-py3-none-any.whl (22 kB)
Installing collected packages: pyJWT
Successfully installed pyJWT-2.8.0
(base) root@f84d1b657677:/test/multitenant-fullstack-test# python
Python 3.12.1 (main, Jan 11 2024, 15:16:36) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import jwt
>>> jwt.__version__
'2.8.0'

windows11 and ubuntu 22.04LTS

The question is which package initially poisoned it? no mentioning of any other jwt package here?

(base) root@6bf639ed0df9:/test/multitenant-fullstack-test# pip list
Package                    Version      Editable project location
-------------------------- ------------ --------------------------------
aenum                      3.1.15
aiohttp                    3.9.1
aiosignal                  1.3.1
allure-pytest              2.13.2
allure-python-commons      2.13.2
ansi2html                  1.9.1
attrs                      23.2.0
Authlib                    1.2.0
beautifulsoup4             4.12.3
certifi                    2023.11.17
cffi                       1.16.0
charset-normalizer         3.3.2
click                      8.1.7
colorama                   0.4.6
coverage                   7.4.0
cryptography               41.0.7
curlify                    2.2.1
deepdiff                   6.7.1
dill                       0.3.7
dparse                     0.6.4b0
elastic-transport          8.11.0
elasticsearch              8.11.1
flatten-dict               0.4.2
frozenlist                 1.4.1
h11                        0.14.0
headless-selenium-test     0.1          /test/headless-selenium-test
idna                       3.6
iniconfig                  2.0.0
Jinja2                     3.1.3
jsonschema                 4.21.0
jsonschema-specifications  2023.12.1
jwt                        1.3.1
ldap3                      2.9.1
Levenshtein                0.23.0
markdown-it-py             3.0.0
MarkupSafe                 2.1.3
marshmallow                3.20.2
mdurl                      0.1.2
multidict                  6.0.4
multitenant-fullstack-test 0.1          /test/multitenant-fullstack-test
ordered-set                4.1.0
outcome                    1.3.0.post0
packaging                  23.0
pillow                     10.2.0
pip                        23.3.2
pluggy                     1.3.0
psutil                     5.9.7
py                         1.11.0
pyasn1                     0.5.1
pycparser                  2.21
pydantic                   1.10.13
Pygments                   2.17.2
PyJWT                      2.8.0
PySocks                    1.7.1
pytest                     7.4.4
pytest-cov                 4.1.0
pytest-html                0.1.dev418
pytest-metadata            3.0.0
pytest-reportportal        5.3.1
python-dateutil            2.8.2
python-Levenshtein         0.23.0
pytz                       2023.3.post1
rapidfuzz                  3.6.1
referencing                0.32.1
reportportal-client        5.5.4
requests                   2.31.0
rich                       13.7.0
rpds-py                    0.17.1
ruamel.yaml                0.18.5
ruamel.yaml.clib           0.2.8
safety                     3.0.0
safety-schemas             0.0.1
selenium                   4.16.0
setuptools                 69.0.3
six                        1.16.0
snaptime                   0.2.4
sniffio                    1.3.0
sortedcontainers           2.4.0
soupsieve                  2.5
thefuzz                    0.20.0
trio                       0.24.0
trio-websocket             0.11.1
typer                      0.9.0
typing_extensions          4.9.0
tzlocal                    5.2
urllib3                    2.1.0
wsproto                    1.2.0
yarl                       1.9.4
fenchu commented 5 months ago

help(jwt) show that this module has been installed: https://pypi.org/project/jwt/, Troublesome sharing namespace

fenchu commented 5 months ago

it is jwt that do not go well with pyJWT, it is installen by an update of Safety:

#13 63.06 Collecting jwt==1.3.1 (from safety>=2.1.1->multitenant-fullstack-test==0.1)
#13 63.07   Downloading jwt-1.3.1-py3-none-any.whl (18 kB)

Is there a way to mark this incompatible with your module since you are sharing namespace.

github-actions[bot] commented 3 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days