Merge branch 'aramboi-master'

Author: mikedebock

README.rst

@@ -29,13 +29,22 @@ Installation
 Usage
 =====
 
-Add the following lines to your Django settings.py file:
+Add the following lines to your Django ``settings.py`` file:
 
 .. code-block:: python
 
  COGNITO_AWS_REGION = '<aws region>' # 'eu-central-1'
-    COGNITO_USER_POOL = '<user pool>' # 'eu-central-1_xYzaq'
-    COGNITO_AUDIENCE = '<client id>' 
+ COGNITO_USER_POOL = '<user pool>' # 'eu-central-1_xYzaq'
+ COGNITO_AUDIENCE = '<client id>'
+
+(Optional) If you want to cache the Cognito public keys between requests you can
+enable the ``COGNITO_PUBLIC_KEYS_CACHING_ENABLED`` setting (it only works if you
+have the Django ``CACHES`` setup to anything other than the dummy backend).
+
+.. code-block:: python
+
+ COGNITO_PUBLIC_KEYS_CACHING_ENABLED = True
+ COGNITO_PUBLIC_KEYS_CACHING_TIMEOUT = 60*60*24 # 24h caching, default is 300s
 
 Also update the rest framework settings to use the correct authentication backend:
 

docs/conf.py

@@ -349,4 +349,3 @@
 # If true, do not generate a @detailmenu in the "Top" node's menu.
 #
 # texinfo_no_detailmenu = False
-

setup.cfg

@@ -7,7 +7,7 @@ testpaths = tests
 universal=1
 
 [flake8]
-max-line-length = 99
+max-line-length = 119
 
 [bumpversion]
 current_version = 0.0.1

src/django_cognito_jwt/__init__.py

@@ -1,3 +1,3 @@
 __version__ = '0.0.1'
 
-from .backend import JSONWebTokenAuthentication
+from .backend import JSONWebTokenAuthentication # noqa

src/django_cognito_jwt/validator.py

@@ -3,6 +3,8 @@
 import requests
 from jwt.algorithms import RSAAlgorithm
 
+from django.conf import settings
+from django.core.cache import cache
 from django.utils.functional import cached_property
 
 
@@ -34,7 +36,17 @@ def _get_public_key(self, token):
  except jwt.DecodeError as exc:
  raise TokenError(str(exc))
 
- jwk_data = self._json_web_keys.get(headers['kid'])
+ if getattr(settings, 'COGNITO_PUBLIC_KEYS_CACHING_ENABLED', False):
+ cache_key = 'django_cognito_jwt:%s' % headers['kid']
+ jwk_data = cache.get(cache_key)
+
+ if not jwk_data:
+ jwk_data = self._json_web_keys.get(headers['kid'])
+ timeout = getattr(settings, 'COGNITO_PUBLIC_KEYS_CACHING_TIMEOUT', 300)
+ cache.set(cache_key, jwk_data, timeout=timeout)
+ else:
+ jwk_data = self._json_web_keys.get(headers['kid'])
+
  if jwk_data:
  return RSAAlgorithm.from_jwk(jwk_data)
 

tests/conftest.py

@@ -30,6 +30,7 @@ def pytest_configure():
  ROOT_URLCONF='urls',
  )
 
+
 def _private_to_public_key(private_key):
  data = copy.deepcopy(private_key)
  del data['d']
@@ -62,6 +63,7 @@ def jwk_private_key_one():
  )
  }
 
+
 @pytest.fixture()
 def jwk_public_key_one(jwk_private_key_one):
  return _private_to_public_key(jwk_private_key_one)

tests/test_validator.py

@@ -41,3 +41,29 @@ def test_validate_token_error_aud(cognito_well_known_keys, jwk_private_key_one):
 
  with pytest.raises(validator.TokenError):
  auth.validate(token)
+
+
+@pytest.mark.parametrize("is_cache_enabled,responses_calls", [
+ (None, 2),
+ (False, 2),
+ (True, 1),
+])
+def test_validate_token_caching(cognito_well_known_keys, jwk_private_key_one, settings, responses, is_cache_enabled,
+ responses_calls):
+ if is_cache_enabled is not None:
+ settings.COGNITO_PUBLIC_KEYS_CACHING_ENABLED = is_cache_enabled
+
+ token = create_jwt_token(
+ jwk_private_key_one,
+ {
+ 'iss': 'https://cognito-idp.eu-central-1.amazonaws.com/bla',
+ 'aud': 'my-audience',
+ 'sub': 'username',
+ })
+ auth = validator.TokenValidator('eu-central-1', 'bla', 'my-audience')
+ auth.validate(token)
+ assert len(responses.calls) == 1
+
+ auth_again = validator.TokenValidator('eu-central-1', 'bla', 'my-audience')
+ auth_again.validate(token)
+ assert len(responses.calls) == responses_calls