Add JWT validation test and dependency lock file#1479
Merged
Conversation
Prevent transitive dependency breakage (like authlib 1.7.0 + joserfc) from reaching production undetected: - Add unit test exercising JWTBearerTokenValidator.authenticate_token() with self-signed RSA keys (no secrets, no network calls) - Generate requirements.lock via pip-compile for reproducible builds - Update Dockerfile to install from lock file Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace pip-compile/requirements.lock with uv.lock to match policyengine-us and policyengine-uk conventions: - Add pyproject.toml (migrated deps from setup.py, hatchling build) - Generate uv.lock pinning all transitive dependencies - Update Dockerfile to use uv sync --frozen - Remove uv.lock from .gitignore (it must be committed) To update deps: edit pyproject.toml then run `uv lock`. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
JWTBearerTokenValidator.authenticate_token()code path used in production — using self-signed RSA keys, no secrets, no network callspyproject.toml+uv.lockfor reproducible builds (matching policyengine-us/uk conventions)uv sync --frozenContext
authlib 1.7.0 silently broke production JWT validation by delegating to joserfc, which rejected authlib's
KeySettype inguess_key(). This wasn't caught because:StaticBearerTokenValidator(fake token matching), never exercising the real validatorpip installpulled the latest authlib on every Docker buildMaintenance
When bumping dependencies in
pyproject.toml, regenerate the lock file:The weekly bot PRs (policyengine-us bumps) should include this step.
Test plan
test_authenticate_token_with_valid_jwt— confirms the keyset + validator path workstest_authenticate_token_handles_expired_jwt— confirms expired tokens don't crashtest_authenticate_token_rejects_wrong_key— confirms wrong-key tokens are rejectedtest_import_key_set_returns_usable_keyset— confirmsJsonWebKey.import_key_setoutput is compatible withJWTBearerTokenValidator🤖 Generated with Claude Code