Initial implementation of REST API JWT header auth.

Author: Dave Mun

opentok/opentok.py

@@ -10,6 +10,8 @@
 import platform                # user-agent
 from socket import inet_aton   # create_session
 import xml.dom.minidom as xmldom # create_session
+from jose import jwt           # _create_jwt_auth_header
+import random                  # _create_jwt_auth_header
 
 # compat
 from six.moves.urllib.parse import urlencode
@@ -273,7 +275,7 @@ def headers(self):
         """For internal use."""
         return {
             'User-Agent': 'OpenTok-Python-SDK/' + __version__ + ' ' + platform.python_version(),
-            'X-TB-PARTNER-AUTH': self.api_key + ':' + self.api_secret
+            'X-TB-OPENTOK-AUTH': self._create_jwt_auth_header(self.api_key, self.api_secret)
         }
 
     def archive_headers(self):
@@ -444,3 +446,13 @@ def get_archives(self, offset=None, count=None):
 
     def _sign_string(self, string, secret):
         return hmac.new(secret.encode('utf-8'), string.encode('utf-8'), hashlib.sha1).hexdigest()
+
+    def _create_jwt_auth_header(self, api_key, api_secret):
+        payload = {
+                      'ist': 'project',
+                      'iss': api_key,
+                      'exp': int(time.time()) + (60*5), # 5 minutes
+                      'jti': '{:f}'.format(random.random())
+                  }
+
+        return jwt.encode(payload, api_secret, algorithm='HS256')

setup.py

@@ -31,6 +31,7 @@ def find_version(*file_paths):
     'requests',
     'six',
     'pytz',
+    'python-jose'
 ]
 
 if sys.version_info[0] < 3 or sys.version_info[1] < 4:

tests/test_archive.py

@@ -7,6 +7,8 @@
 import json
 import datetime
 import pytz
+from jose import jwt
+import time
 
 from opentok import OpenTok, Archive, __version__, OutputModes
 
@@ -56,7 +58,12 @@ def test_stop_archive(self):
 
         archive.stop()
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(archive).to.be.an(Archive)
@@ -91,7 +98,7 @@ def test_delete_archive(self):
             u('size'): 0,
             u('status'): u('available'),
             u('hasAudio'): True,
-            u('hasVideo'): True,            
+            u('hasVideo'): True,
             u('outputMode'): OutputModes.composed.value,
             u('url'): None,
         })
@@ -101,7 +108,12 @@ def test_delete_archive(self):
 
         archive.delete()
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # TODO: test that the object is invalidated

tests/test_archive_api.py

@@ -7,6 +7,8 @@
 import json
 import datetime
 import pytz
+from jose import jwt
+import time
 
 from opentok import OpenTok, Archive, ArchiveList, OutputModes, __version__
 
@@ -41,7 +43,12 @@ def test_start_archive(self):
 
         archive = self.opentok.start_archive(self.session_id)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # non-deterministic json encoding. have to decode to test it properly
@@ -92,7 +99,8 @@ def test_start_archive_with_name(self):
 
         archive = self.opentok.start_archive(self.session_id, name=u('ARCHIVE NAME'))
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # non-deterministic json encoding. have to decode to test it properly
@@ -141,7 +149,12 @@ def test_start_voice_archive(self):
 
         archive = self.opentok.start_archive(self.session_id, name=u('ARCHIVE NAME'), has_video=False)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # non-deterministic json encoding. have to decode to test it properly
@@ -192,7 +205,12 @@ def test_start_individual_archive(self):
 
         archive = self.opentok.start_archive(self.session_id, name=u('ARCHIVE NAME'), output_mode=OutputModes.individual)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # non-deterministic json encoding. have to decode to test it properly
@@ -244,7 +262,12 @@ def test_start_composed_archive(self):
 
         archive = self.opentok.start_archive(self.session_id, name=u('ARCHIVE NAME'), output_mode=OutputModes.composed)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         # non-deterministic json encoding. have to decode to test it properly
@@ -297,7 +320,12 @@ def test_stop_archive(self):
 
         archive = self.opentok.stop_archive(archive_id)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(archive).to.be.an(Archive)
@@ -324,7 +352,12 @@ def test_delete_archive(self):
 
         self.opentok.delete_archive(archive_id)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
 
@@ -353,7 +386,12 @@ def test_find_archive(self):
 
         archive = self.opentok.get_archive(archive_id)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(archive).to.be.an(Archive)
@@ -468,7 +506,12 @@ def test_find_archives(self):
 
         archive_list = self.opentok.get_archives()
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(archive_list).to.be.an(ArchiveList)
@@ -528,7 +571,12 @@ def test_find_archives_with_offset(self):
 
         archive_list = self.opentok.get_archives(offset=3)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(httpretty.last_request()).to.have.property("querystring").being.equal({
@@ -578,7 +626,12 @@ def test_find_archives_with_count(self):
 
         archive_list = self.opentok.get_archives(count=2)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(httpretty.last_request()).to.have.property("querystring").being.equal({
@@ -654,7 +707,12 @@ def test_find_archives_with_offset_and_count(self):
 
         archive_list = self.opentok.get_archives(count=4, offset=2)
 
-        expect(httpretty.last_request().headers[u('x-tb-partner-auth')]).to.equal(self.api_key+u(':')+self.api_secret)
+        claims = jwt.decode(httpretty.last_request().headers[u('x-tb-opentok-auth')], self.api_secret, algorithms=[u('HS256')])
+        expect(claims[u('iss')]).to.equal(self.api_key)
+        expect(claims[u('ist')]).to.equal(u('project'))
+        expect(float(claims[u('exp')])).to.be.greater_than(float(time.time()))
+        expect(float(claims[u('jti')])).to.be.greater_than_or_equal_to(float(0))
+        expect(float(claims[u('jti')])).to.be.lower_than(float(1))
         expect(httpretty.last_request().headers[u('user-agent')]).to.contain(u('OpenTok-Python-SDK/')+__version__)
         expect(httpretty.last_request().headers[u('content-type')]).to.equal(u('application/json'))
         expect(httpretty.last_request()).to.have.property("querystring").being.equal({