autopush.jwt

class autopush.jwt.VerifyJWT[source]

Minimally verify a Vapid JWT object.

Why hand roll? Most python JWT libraries either use a python elliptic curve library directly, or call one that does, or is abandoned, or a dozen other reasons.

After spending half a day looking for reasonable replacements, I decided to just write the functions we need directly.

THIS IS NOT A FULL JWT REPLACEMENT.

static extract_signature(auth)[source]

Fix the JWT auth token.

The JWA spec defines the signature to be a pair of 32octet encoded longs. The ecdsa library signs using a raw, 32octet pair of values (s, r). Cryptography, which uses OpenSSL, uses a DER sequence of (s, r). This function converts the raw ecdsa to DER.

Parameters:auth (str) – A JWT authorization token.

:return tuple containing the signature material and signature

static extract_assertion(token)[source]

Extract the assertion dictionary from the passed token. This does NOT do validation.

Parameters:token (str) – Partial or full VAPID auth token

:return dict of the VAPID claims

static validate_and_extract_assertion(token, key)[source]

Decode a web token into a assertion dictionary.

This attempts to rectify both ecdsa and openssl generated signatures. We use the built-in cryptography library since it wraps libssl and is faster than the python only approach.

Parameters:
  • token (str) – VAPID auth token
  • key (str or bitarray) – bitarray containing public key

:return dict of the VAPID claims

:raise InvalidSignature