JWT validator with public key verification and permission check
Project description
auth_jwt_validator
A simple and secure JWT validation and permission checking package for DRF and GraphQL APIs.
✨ Features
- 🔐 Verifies JWT tokens using RS256 public keys.
- ⚙️ Supports dynamic domain configuration to fetch keys from
/.well-known/jwks.json. - ⚡ Internal caching of public keys to reduce HTTP calls.
- 🔎 Verifies
exp,iat, andkidfields. - 🔐 Extracts
permissionsanduser_idfrom JWT. - ✅ Validates required permissions.
- ✅ Works with DRF: APIView, GenericAPIView, ViewSet.
- ✅ Supports function-based DRF views.
- ✅ Supports GraphQL (Graphene).
📦 Installation
pip install auth_jwt_validator
⚙️ Configuration
Before using the validator, configure your auth domain in main settings.py:
from auth_jwt_validator.settings import settings
# Set your user service domain dynamically
settings.set_domain("https://auth.myapp.com")
You can also set custom cache TTL (default is 300 seconds):
configure("https://auth.myapp.com", cache_ttl=600)
🚀 Usage
✅ Option 1: DRF Permission Class (Recommended for class-based views)
Add to your APIView, GenericAPIView, or ViewSet:
from rest_framework.views import APIView
from rest_framework.response import Response
from auth_jwt_validator.drf.permissions import HasJWTAndPermissions
class MyView(APIView):
permission_classes = [HasJWTAndPermissions]
required_permissions = ["read_profile"]
def get(self, request):
return Response({"user_id": request.user_id})
You can also use this with GenericAPIView:
from rest_framework.generics import GenericAPIView
class MyGenericView(GenericAPIView):
permission_classes = [HasJWTAndPermissions]
required_permissions = ["read_profile"]
def get(self, request):
return Response({"user_id": request.user_id})
Or inside a ViewSet:
from rest_framework.viewsets import ViewSet
class MyViewSet(ViewSet):
permission_classes = [HasJWTAndPermissions]
required_permissions = ["read_profile"]
def retrieve(self, request, pk=None):
return Response({"user_id": request.user_id, "profile_id": pk})
✅ Option 2: drf_jwt_required Decorator (for function-based views or custom method handling)
Use it for full control over the method:
from rest_framework.views import APIView
from rest_framework.response import Response
from auth_jwt_validator.decorators.drf import drf_jwt_required
class MyView(APIView):
@drf_jwt_required(["read_profile"])
def get(self, request):
return Response({"user_id": request.user_id})
🧠 Tip: This approach bypasses
permission_classesand does everything inline.
✅ With GenericAPIView
from rest_framework.generics import GenericAPIView
class MyGenericView(GenericAPIView):
@drf_jwt_required(["read_profile"])
def get(self, request, *args, **kwargs):
return Response({"user_id": request.user_id})
✅ With ViewSet
from rest_framework.viewsets import ViewSet
class MyViewSet(ViewSet):
@drf_jwt_required(["read_profile"])
def retrieve(self, request, pk=None):
return Response({"user_id": request.user_id, "profile_id": pk})
⚠️ Only use
drf_jwt_requiredwhen you need per-method control and don’t want to usepermission_classes.
🧪 GraphQL Usage (Graphene)
Add the decorator to your GraphQL resolvers:
import graphene
from auth_jwt_validator.decorators.graphql import graphql_jwt_required
class Query(graphene.ObjectType):
me = graphene.String()
@graphql_jwt_required(["read_profile"])
def resolve_me(self, info):
user_id = info.context.user_id
return f"Hello user {user_id}"
🔐 JWT Payload Format
JWTs should contain at minimum:
{
"user_id": "123",
"permissions": ["read_profile", "edit_profile"],
"exp": 1712345678,
"iat": 1712340000,
"iss": "auth.myapp.com"
}
🛠 Internals
validate_jwt_token(token: str, required_permissions: list[str] | None)
- Validates signature using public key (with
kid) - Checks
exp,iat, andiss - Raises:
JWTValidationErrorPermissionDeniedError
💡 Best Practices
- Use
permission_classes = [HasJWTAndPermissions]for most DRF views. - Use
drf_jwt_requiredonly for function-based views or fine-grained control. - Always call
configure(...)once at app startup. - Ensure
/.well-known/jwks.jsonis exposed in your user service.
🤝 Contributing
Pull requests welcome!
📄 License
MIT
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file auth_jwt_validator-0.1.7.tar.gz.
File metadata
- Download URL: auth_jwt_validator-0.1.7.tar.gz
- Upload date:
- Size: 8.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3b37bdf8548265e8b57a6398ee7c56d23ff480d84da3616c7c127a1712fa734c
|
|
| MD5 |
1898117853880a15d6c0235127a0573e
|
|
| BLAKE2b-256 |
a9c2e376bf3d9550a1112b41dd205179267a0016ff561fd1e59f94b896b69e6c
|
File details
Details for the file auth_jwt_validator-0.1.7-py3-none-any.whl.
File metadata
- Download URL: auth_jwt_validator-0.1.7-py3-none-any.whl
- Upload date:
- Size: 10.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
54de0a07d57018319eb028e445d4898387c52b5926861e4d39b29f379208c418
|
|
| MD5 |
ab60faf4a9abb334b7eb1a9700686cb8
|
|
| BLAKE2b-256 |
32d8d2d393ab8be6312ae71d24e26ab063d1d0c690a81144f92bf3479158abb2
|
