Upgrade PyJWT to 2.10.0+

- Update PyJWT dependency from <2.10.0 to >=2.10.0
- Update requires-python from >=3.8 to >=3.9 (PyJWT 2.10.0 dropped Python 3.8)
- Remove Python 3.8 from test matrix
- Fix JWT token handling to use custom claim instead of 'sub'

PyJWT 2.10.0 added validation that the 'sub' (subject) claim must be a
string per RFC 7519. The code was storing a dict in the 'sub' claim,
which now fails with InvalidSubjectError. Changed to use a custom
'access_token_data' claim instead.

Author: Adam-D-Lewis

jhub_apps/service/auth.py

@@ -11,7 +11,7 @@
 
 def _create_access_token(data: dict, expires_delta: typing.Optional[timedelta] = None):
     logger.info("Creating access token")
-    to_encode = data.copy()
+    to_encode = {"access_token_data": data.get("sub", data)}
     if expires_delta:
         expire = datetime.utcnow() + expires_delta
     else:
@@ -33,7 +33,7 @@ def _get_jhub_token_from_jwt_token(token):
     )
     try:
         payload = jwt.decode(token, os.environ["JHUB_APP_JWT_SECRET_KEY"], algorithms=["HS256"])
-        access_token_data: dict = payload.get("sub")
+        access_token_data: dict = payload.get("access_token_data")
         if access_token_data is None:
             raise credentials_exception
     except jwt.PyJWTError as e:

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 name = "jhub-apps"
 description = 'JupyterHub Apps'
 readme = "README.md"
-requires-python = ">=3.8"
+requires-python = ">=3.9"
 license = "MIT"
 
 dependencies = [
@@ -26,7 +26,7 @@ dependencies = [
     "python-slugify",
     "cachetools",
     "structlog",
-    "PyJWT<2.10.0",
+    "PyJWT>=2.10.0",
     "GitPython",
     # pinning to avoid unexpected changes in spec causing
     # unexpected breakage
@@ -63,7 +63,7 @@ dependencies = [
 ]
 
 [[tool.hatch.envs.test.matrix]]
-python = ["38", "39", "310", "311", "312"]
+python = ["39", "310", "311", "312"]
 
 [tool.coverage.run]
 branch = true