Closed szmktk closed 2 weeks ago
@MateuszBelczowski I removed some code which I thought is fossil 🦴 from users/serializers.py
and entire zeton_backend/utils.py
. Could you verify if this is safe? This code was added in 2020 and I'm not sure if it's used at all 🤔
Also the response schema of /api/token-auth
changed:
before:
❯ curl -s -X "POST" "http://localhost:8000/api/token-auth/" -H "accept: application/json" -H "Content-Type: application/json" -d '{"username": "opiekun1","password": "opiekun1"}' | jq
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjozLCJ1c2VybmFtZSI6Im9waWVrdW4xIiwiZXhwIjoxNzE5MDY4ODYyLCJlbWFpbCI6Im1hcmVrLXpldG9uQG1haWxpbmF0b3IuY29tIn0.GqA3koxMnoMDMuDzQoa_XtDMnce9paCD1bNUdgPt2Cg",
"user": {
"id": 3,
"username": "opiekun1"
}
}
after:
❯ curl -s -X "POST" "http://localhost:8000/api/token-auth/" -H "accept: application/json" -H "Content-Type: application/json" -d '{"username": "opiekun1","password": "opiekun1"}' | jq
{
"refresh": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTcxOTE1MDcwNSwiaWF0IjoxNzE5MDY0MzA1LCJqdGkiOiIyMTAyMDU1NjFkNTM0ZTFhOTZlYTk5ODYwZGI5MmZkZSIsInVzZXJfaWQiOjN9.sbEF5Ziw6_LLRU2Hqn94xeykAn9Q1506t5fOzejDdGU",
"access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzE5MDcxNTA1LCJpYXQiOjE3MTkwNjQzMDUsImp0aSI6IjNlMmYzMTIwMzBlNjQ1ZDY5NjI1YzdmMWQ4OTI3YWNlIiwidXNlcl9pZCI6M30.Wg49AmDeFeN5vRdFGOvv8qWFxjdwA6T8_UBli7CdVpM"
}
Is that acceptable? I verified that the token works - I am able to get 200 OK response from GET /api/students/
endpoints.
This pull request updates
pyjwt
to its most recent version as of today.I also decided to ditch
djangorestframework-jwt-4
package which seems to be abandoned and was not compatible withpyjwt
2.8.0 ("module 'jwt' has no attribute 'ExpiredSignature'" error)This update is important since
pyjwt
1.7.1 was released in 2018 and contains CWE-327. As of now this is the only high severity Dependabot alert that we have on backend side of Zeton.