Merge pull request #86 from davemun/jwt-auth

Implements JWT auth for REST API calls.

Author: aoberoi

opentok/opentok.py

@@ -10,6 +10,8 @@
 import platform                # user-agent
 from socket import inet_aton   # create_session
 import xml.dom.minidom as xmldom # create_session
+from jose import jwt           # _create_jwt_auth_header
+import random                  # _create_jwt_auth_header
 
 # compat
 from six.moves.urllib.parse import urlencode
@@ -273,7 +275,7 @@ def headers(self):
         """For internal use."""
         return {
             'User-Agent': 'OpenTok-Python-SDK/' + __version__ + ' ' + platform.python_version(),
-            'X-TB-PARTNER-AUTH': self.api_key + ':' + self.api_secret
+            'X-TB-OPENTOK-AUTH': self._create_jwt_auth_header()
         }
 
     def archive_headers(self):
@@ -444,3 +446,13 @@ def get_archives(self, offset=None, count=None):
 
     def _sign_string(self, string, secret):
         return hmac.new(secret.encode('utf-8'), string.encode('utf-8'), hashlib.sha1).hexdigest()
+
+    def _create_jwt_auth_header(self):
+        payload = {
+                      'ist': 'project',
+                      'iss': self.api_key,
+                      'exp': int(time.time()) + (60*5), # 5 minutes
+                      'jti': '{:f}'.format(random.random())
+                  }
+
+        return jwt.encode(payload, self.api_secret, algorithm='HS256')

setup.py

@@ -31,6 +31,7 @@ def find_version(*file_paths):
     'requests',
     'six',
     'pytz',
+    'python-jose'
 ]
 
 if sys.version_info[0] < 3 or sys.version_info[1] < 4:

tests/__init__.py

@@ -0,0 +1 @@
+from .validate_jwt import validate_jwt_header

tests/test_archive.py

@@ -7,6 +7,7 @@
 import json
 import datetime
 import pytz
+from .validate_jwt import validate_jwt_header
 
 from opentok import OpenTok, Archive, __version__, OutputModes
 
@@ -56,7 +57,7 @@ def test_stop_archive(self):
 
         archive.stop()
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(archive).to.be.an(Archive)
@@ -91,7 +92,7 @@ def test_delete_archive(self):
             u('size'): 0,
             u('status'): u('available'),
             u('hasAudio'): True,
-            u('hasVideo'): True,            
+            u('hasVideo'): True,
             u('outputMode'): OutputModes.composed.value,
             u('url'): None,
         })
@@ -101,7 +102,7 @@ def test_delete_archive(self):
 
         archive.delete()
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # TODO: test that the object is invalidated

tests/test_archive_api.py

@@ -7,6 +7,7 @@
 import json
 import datetime
 import pytz
+from .validate_jwt import validate_jwt_header
 
 from opentok import OpenTok, Archive, ArchiveList, OutputModes, __version__
 
@@ -41,7 +42,7 @@ def test_start_archive(self):
 
         archive = self.opentok.start_archive(self.session_id)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # non-deterministic json encoding. have to decode to test it properly
@@ -92,7 +93,7 @@ def test_start_archive_with_name(self):
 
         archive = self.opentok.start_archive(self.session_id, name=u('ARCHIVE NAME'))
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # non-deterministic json encoding. have to decode to test it properly
@@ -141,7 +142,7 @@ def test_start_voice_archive(self):
 
         archive = self.opentok.start_archive(self.session_id, name=u('ARCHIVE NAME'), has_video=False)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # non-deterministic json encoding. have to decode to test it properly
@@ -192,7 +193,7 @@ def test_start_individual_archive(self):
 
         archive = self.opentok.start_archive(self.session_id, name=u('ARCHIVE NAME'), output_mode=OutputModes.individual)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # non-deterministic json encoding. have to decode to test it properly
@@ -244,7 +245,7 @@ def test_start_composed_archive(self):
 
         archive = self.opentok.start_archive(self.session_id, name=u('ARCHIVE NAME'), output_mode=OutputModes.composed)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # non-deterministic json encoding. have to decode to test it properly
@@ -297,7 +298,7 @@ def test_stop_archive(self):
 
         archive = self.opentok.stop_archive(archive_id)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(archive).to.be.an(Archive)
@@ -324,7 +325,7 @@ def test_delete_archive(self):
 
         self.opentok.delete_archive(archive_id)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
 
@@ -353,7 +354,7 @@ def test_find_archive(self):
 
         archive = self.opentok.get_archive(archive_id)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(archive).to.be.an(Archive)
@@ -468,7 +469,7 @@ def test_find_archives(self):
 
         archive_list = self.opentok.get_archives()
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(archive_list).to.be.an(ArchiveList)
@@ -528,7 +529,7 @@ def test_find_archives_with_offset(self):
 
         archive_list = self.opentok.get_archives(offset=3)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(httpretty.last_request()).to.have.property("querystring").being.equal({
@@ -578,7 +579,7 @@ def test_find_archives_with_count(self):
 
         archive_list = self.opentok.get_archives(count=2)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(httpretty.last_request()).to.have.property("querystring").being.equal({
@@ -654,7 +655,7 @@ def test_find_archives_with_offset_and_count(self):
 
         archive_list = self.opentok.get_archives(count=4, offset=2)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(httpretty.last_request()).to.have.property("querystring").being.equal({

tests/test_session_creation.py

@@ -4,6 +4,7 @@
 from nose.tools import raises
 from sure import expect
 import httpretty
+from .validate_jwt import validate_jwt_header
 
 from opentok import OpenTok, Session, MediaModes, ArchiveModes, OpenTokException, __version__
 
@@ -22,7 +23,7 @@ def test_create_default_session(self):
 
         session = self.opentok.create_session()
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         body = parse_qs(httpretty.last_request().body)
         expect(body).to.have.key(b('p2p.preference')).being.equal([b('enabled')])
@@ -41,7 +42,7 @@ def test_create_routed_session(self):
 
         session = self.opentok.create_session(media_mode=MediaModes.routed)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         body = parse_qs(httpretty.last_request().body)
         expect(body).to.have.key(b('p2p.preference')).being.equal([b('disabled')])
@@ -60,7 +61,7 @@ def test_create_session_with_location_hint(self):
 
         session = self.opentok.create_session(location='12.34.56.78')
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         # ordering of keys is non-deterministic, must parse the body to see if it is correct
         body = parse_qs(httpretty.last_request().body)
@@ -80,7 +81,7 @@ def test_create_routed_session_with_location_hint(self):
 
         session = self.opentok.create_session(location='12.34.56.78', media_mode=MediaModes.routed)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         # ordering of keys is non-deterministic, must parse the body to see if it is correct
         body = parse_qs(httpretty.last_request().body)
@@ -100,7 +101,7 @@ def test_create_manual_archive_mode_session(self):
 
         session = self.opentok.create_session(media_mode=MediaModes.routed, archive_mode=ArchiveModes.manual)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         body = parse_qs(httpretty.last_request().body)
         expect(body).to.have.key(b('p2p.preference')).being.equal([b('disabled')])
@@ -119,7 +120,7 @@ def test_create_always_archive_mode_session(self):
 
         session = self.opentok.create_session(media_mode=MediaModes.routed, archive_mode=ArchiveModes.always)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        validate_jwt_header(self, httpretty.last_request().headers[u('x-tb-opentok-auth')])
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         body = parse_qs(httpretty.last_request().body)
         expect(body).to.have.key(b('p2p.preference')).being.equal([b('disabled')])

tests/validate_jwt.py

@@ -0,0 +1,17 @@
+from six import u
+from sure import expect
+from jose import jwt
+import time
+
+def validate_jwt_header(self, jsonwebtoken):
+    claims = jwt.decode(jsonwebtoken, self.api_secret, algorithms=[u('HS256')])
+    claims.should.have.key(u('iss'))
+    expect(claims[u('iss')]).to.equal(self.api_key)
+    claims.should.have.key(u('ist'))
+    expect(claims[u('ist')]).to.equal(u('project'))
+    claims.should.have.key(u('exp'))
+    expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+    # todo: add test to check for anvil failure code if exp time is greater than anvil expects
+    claims.should.have.key(u('jti'))
+    expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+    expect(float(claims[u('jti')])).to.be.lower_than(float(1))