feat: jwt_backends - create backend mechanism and add authlib support

[hasB4K]

Hello @k4black,

I've implemented the changes discussed in issue #40. The idea is to add a JWTBackend concept to fastapi-jwt for better security and customization. This allows using other authentication libraries besides python-jose, addressing the security concerns mentioned in #40.

Here's what's new in this PR:

• A jwt_backends folder with PythonJoseJWTBackend and AuthlibJWTBackend.
• A dynamic import system in jwt_backends/__init__.py.
• A define_default_jwt_backend function, so users can pick their preferred backend. I think most will either stick with the default or set it once.
• I've kept python-jose support for now, given its popularity, but we might want to consider a deprecation warning.

I think this approach could also help with:

• Proposal to add a custom message for expired signature and incorrect token #7: making it easier to create custom backends.
• Support standard JWT payload #26: allowing decode_kwargs customization and the "subject" to "sub" swap. Though, standardizing on "sub" might be simpler, that's a side point.

I hope this PR helps.

Have a great week!
Kind regards,

[hasB4K]

default algorithm is now handled in the jwt backend directly.

[hasB4K]

This was moved in the backend PythonJoseJWTBackend. Since the error strings are now in the backend, a dev could create its own backend to customize the error handling like thhis PR wanted to do: #7

[hasB4K]

A simple SingletonArgs to handle the JWTBackend based on their implementation and the algorithm used. Useful to avoid recreating a lot of backends for nothing.

[hasB4K]

authlib doesn't auto add the alg header 🤷‍♂️ - manually adding it

[hasB4K]

useful for people to be able to do:

pip install fastapi-jwt[authlib]

or

pip install fastapi-jwt[python_jose]

[hasB4K]

Authlib is the default if both authlib and python-jose are installed.

[hasB4K]

all the tests changes are about:

• make it parametrize to test the two backends
• mock datetime.now or time.time depending of the backend used (if necessary)
• create a client depending of the backend used (need to be dynamic and wrapped inside a create_example_client to really test the backends, since a JWTBackend is created when JwtAccessBearer is created

[hasB4K]

and for two tests we need to expose unique_identifiers_database with the client

[rjjanuary]

I'm looking at moving to JWT's for a few FastAPI projects and was considering building my own framework. Looking through fastapi-jwt, I love the design, however also feel that it's not in our best interest to rely on python-jose. Has there been any consideration of merging this into the project? If so, is there any additional work needed I could assist with?

[hasB4K]

@rjjanuary, it seems that the maintainer of this project is not very active.
Regarding this PR, I don't think it will be merged, and tbh I would be in favor of a full deprecation of python-jose entirely.

I'm now using fastapi-users which provide an auth framework in which you can select what you want and what you want to change. The project is actively maintained too. They had a similar issue with passlib being unmaintained, and the maintainer of fastapi-users handled the situation very well. See: fastapi-users/fastapi-users#1325

[rjjanuary]

Thank you @hasB4K, I appreciate the quick response. I'll look deeper into fastapi-users, however at first glance it may be a little overkill for current projects.

[codecov]

Codecov Report

Attention: Patch coverage is 98.01980% with 2 lines in your changes are missing coverage. Please review.

Project coverage is 99.08%. Comparing base (19c6038) to head (57b463b).

Files	Patch %	Lines
fastapi_jwt/jwt.py	94.59%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##              main      #41      +/-   ##
===========================================
- Coverage   100.00%   99.08%   -0.92%     
===========================================
  Files            2        6       +4     
  Lines          158      219      +61     
===========================================
+ Hits           158      217      +59     
- Misses           0        2       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[k4black]

@hasB4K Thank you for the great contribution!
Sorry for not being really active, if you eager to use and update this project i can grant you rights. Please write me email at kdchernyshev at gmail dot com and we can have a short call.

Regarding your contribution:
I'll update backends structure a bit to make jwt.py make a backend choice. For now i'll keep backends feature, but in general I agree with deprecation and removal of jose.