security: replace python-jose with PyJWT for JWT handling #250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

PeakPy wants to merge 1 commit into benavlabs:main from PeakPy:feature/replace-python-jose-with-pyjwt

+13 −13

PeakPy commented Feb 11, 2026

Description

Replaces python-jose with PyJWT to address known security vulnerabilities (CVE-related to alg=none bypass and denial-of-service).

Partially addresses #248 (JWT security concern)

Changes

Removed python-jose>=3.3.0 dependency
Added PyJWT>=2.8.0 dependency
Updated JWT encoding/decoding in security.py to use PyJWT API
Updated exception handling in logout.py to catch jwt.PyJWTError
Converted exp claim to Unix timestamp for PyJWT compliance
Updated uv.lock with new dependency tree

Tests

All existing tests pass (11/11):

Authentication flow
Token creation and verification
User CRUD operations

Checklist

I have read the CONTRIBUTING document
My code follows the code style of this project (ruff, mypy pass)
I have added necessary documentation (if appropriate)
I have added tests that cover my changes (existing tests validate behavior)
All new and existing tests passed

Additional Notes

Token format and behavior remain unchanged for backward compatibility
PyJWT is already a transitive dependency, so lock file impact is minimal
This PR focuses only on the JWT library migration (other items in Dependency & Security Review: JWT, Database, and Background Worker Concerns #248 can be separate PRs)


          security: replace python-jose with PyJWT for JWT handling

357d542

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet