szmktk
commented
2 weeks ago @MateuszBelczowski I removed some code which I thought is fossil 🦴 from users/serializers.py and entire zeton_backend/utils.py. Could you verify if this is safe? This code was added in 2020 and I'm not sure if it's used at all 🤔
Also the response schema of /api/token-auth changed:
before:
❯ curl -s -X "POST" "http://localhost:8000/api/token-auth/" -H "accept: application/json" -H "Content-Type: application/json" -d '{"username": "opiekun1","password": "opiekun1"}' | jq
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjozLCJ1c2VybmFtZSI6Im9waWVrdW4xIiwiZXhwIjoxNzE5MDY4ODYyLCJlbWFpbCI6Im1hcmVrLXpldG9uQG1haWxpbmF0b3IuY29tIn0.GqA3koxMnoMDMuDzQoa_XtDMnce9paCD1bNUdgPt2Cg",
"user": {
"id": 3,
"username": "opiekun1"
}
}
after:
❯ curl -s -X "POST" "http://localhost:8000/api/token-auth/" -H "accept: application/json" -H "Content-Type: application/json" -d '{"username": "opiekun1","password": "opiekun1"}' | jq
{
"refresh": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTcxOTE1MDcwNSwiaWF0IjoxNzE5MDY0MzA1LCJqdGkiOiIyMTAyMDU1NjFkNTM0ZTFhOTZlYTk5ODYwZGI5MmZkZSIsInVzZXJfaWQiOjN9.sbEF5Ziw6_LLRU2Hqn94xeykAn9Q1506t5fOzejDdGU",
"access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzE5MDcxNTA1LCJpYXQiOjE3MTkwNjQzMDUsImp0aSI6IjNlMmYzMTIwMzBlNjQ1ZDY5NjI1YzdmMWQ4OTI3YWNlIiwidXNlcl9pZCI6M30.Wg49AmDeFeN5vRdFGOvv8qWFxjdwA6T8_UBli7CdVpM"
}Is that acceptable? I verified that the token works - I am able to get 200 OK response from GET /api/students/ endpoints.
This pull request updates
pyjwtto its most recent version as of today.I also decided to ditch
djangorestframework-jwt-4package which seems to be abandoned and was not compatible withpyjwt2.8.0 ("module 'jwt' has no attribute 'ExpiredSignature'" error)This update is important since
pyjwt1.7.1 was released in 2018 and contains CWE-327. As of now this is the only high severity Dependabot alert that we have on backend side of Zeton.